Joining two separate domains into one AD Sites and Services?

Posted on 2013-05-14
Medium Priority
Last Modified: 2013-06-24
I have been really struggling with what to do.  I don't know if this is the appropriate place to ask the question but I don't have much in the way of options.

I have two locations that currently operate independently.  We can call them domainone.com (main office) and domaintwo.com (remote manufacturing).  They both are on seperate /24 networks.

Each has it's own domain controller, terminal server, exchange server, and ERP.  All running Server 2008 R2.

We are currently connected to one another through two Talari boxes (think VPN tunnel using multiple ISP's with a sprinkle of wan op).  So we can access resources on both ends through this tunnel but can not resolve names.

The ERP application is being consolidated into one Database so must be served out of one location.  domaintwo.com will access this ERP application via published app in terminal services at domainone.com.

The goal is to provide the users in domaintwo.com with the best experience possible while also saving money and lowering support needs at domaintwo.com.  My initial plan had all data moving from domaintwo.com to domainone.com and having domaintwo.com use resources entirely through TerminalServices.  We do that now with another (smaller) site and that works well.  I worry about performance however, and various other issues that may crop up.  

It was suggested to me that instead it would be best to set up a new domain controller at domaintwo.com and join that domain controller to domainone.com.  Use migration tools or manually re-create the AD accounts for users who were previously domaintwo.com.  Also, we would need to create PST files for all mailboxes to import into domainone.com for the newly created mailboxes.  We would then need to re-auth all clients to the new domainone.com controller on site.

I believe this would use AD sites and services, but what about addressing?  Will I need to change addressing on both sites?  As I said each runs it's own /24 now.  If we pulled them both under one /24 address space 253 addresses would be a bit tight but doable.  Is it possible to run AD Sites and Services with each side having separate class and not really sub-netted?

Example being site A and B being  From what I understand that isn't sub-netting as each is it's own class C with a 24 bit mask.  To subnet properly I would need a /23 or /22 correct??

I have been struggling with what to do and second guessing myself too long.  Any advice or thoughts on this would be welcome at this point.
Question by:-Darvin-
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 2000 total points
ID: 39167720
here is what I would do in your case.  I do believe your mostly in the right direction though.

1)  setup a new DC like you mentioned.  create all of the accounts, groups, etc in domainone like they are in domaintwo
2) migrate user by user over to new domain in a seemless manner (how to do that will be below)
3) Do not touch the subnetting the way it currently is structured.  It'll mess up networking.  Network subnetting and Windows domains are different.  You are right that information is in the Sites and Services.  By default in there you will see only a single site.  Create a second one for "site2".  then assign the subnets in the Site and Services tool according to how they are assigned on your networks.  what this does is help each site's hosts know which services to prefer (e.g. authenticate against local DC rather than across vpn link)

now you might be able to get a short term fix going but I unfortunately don't have a ton of experience with it and none with the scenario you're trying to do.  But first, are the two domains in the same forest already or in different forests.  If in different forests then you can create a cross-forest trust between them via AD domains and trusts.  If they are in the same forest already, you might be able to already reference those accounts, but only if the ERP ldap authentication integration allows for passage of the domain information as well.  Like I said, I don't know if that will work or not though.

as to seemlessly moving an account from one domain to another, its actually very simple.  This makes it so the current user desktop is all there and IS exactly the way it is now for them; no copying, reconfiguring settings, etc.

1) Note what the current path is to their user profile path; at cli do "echo %userprofile%"
2) unjoin pc from current domain
3) join pc to new domain
4) have user log in to pc on new domain
5) note what the current path is to their user profile path; same cmd as step 1
6) log user out and login with a different "admin level" account
7) Change the permissions on the userprofile folder you recorded in step 1 so that the user you setup in the new domain has the permissions the old domain user had.  
NOTE:  make sure to check the box to have permissions applied to all subfolders and files as well so it may take a while to complete depending on the number of files the user has
8) open regedit
9) go to HKEY_USERS > ### > Volatile Environment  (looks like this is it in win7)
    you'll have to go thru the various "folders" with the SIDs to find which one is for your new domain user.  the userprofile key should match what you retrieved in step 5
10) after you've identified the correct SID in the HKEY_USERS hive, modify the necessary keys so that they reference the profile path you recorded in step 1.  all of them I could find were in the volatile environment folder so you shouldn't have to search around
11) logout and have user log back in
7) go into the registry

Author Comment

ID: 39172428
The domains are in separate forests.  This is a company we purchased earlier this year so we were completely separate until recently.

I haven't been able to get this working in a test environment yet.  I installed a new server at the remote site, but it can not log into the domain at primary site to become a member server.  It can't find a srv record for domainone.com.  I am wondering if this may be due to addressing.  I mentioned this in my original question but it is unclear to me.  Currently Domainone.com has a address where Domaintwo.com is

This is the way our currently wan connection works through those address spaces.  So, it may be that I can not test until we are in the same address space. and for example.  Is that right??  In order to be a valid subnet wouldn't the mask need to be /23??  Isn't and a valid mask for that subnet??
LVL 25

Expert Comment

ID: 39174434
No, addressing has absolutely nothing to do with it.  For that site2 domain1 DC to connect, you need to ensure that it uses a DC-DNS from domain1.  This might require a site-to-site vpn being built between your two sites if one doesn't already exist.  Make sure that the server you're setting can use the domain1 dns servers by issuing a command like

nslookup www.google.com 192.168.1.x

where x is the ip specific to the dns host.  if that doesn't work you can't connect the new server to the domain.  that must be rectified first.  But trust me, do NOT put both sites into the exact same subnet.  Then you for sure will not get things working.

Author Comment

ID: 39187282
Thank you, I did the local address conversion this last weekend and that went well.  This upcoming weekend I will be setting up the other site and will do as you suggested.  Once that is complete I'll revisit this thread.  Thanks for your help so far!

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seveā€¦
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question