New Domain vs Domain collapse

Posted on 2013-05-31
Last Modified: 2013-06-03
Hi Experts,
I have given a task to get information on domain migration,
We have windows 2003 DCs with 1 parent and 10 child domains We have about 1600 users in parent and child domains. At least 80 Security and Distribution groups in each domain.
We are planning to get rid of child domains and keep only 1 parent domain as

I need your suggestion weather we should collapse the existing child domains and use as new domain environment or create a new domain environment using a new name like & create 1600 users but I am sure we don't have to create a lot of groups

I spoke with consultant and they are advising to create  new domain environment
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.
Question by:maliks121
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 20

Expert Comment

ID: 39212020
You fail to state if you are staying with 2003 as the domain architecture or upgrading to 2008 or 2012? If that's relevant, it should be mentioned. But they are correct that collapsing the subdomain might not pickup the proper attributes for those coming into the original domain. Better to start a new domain as they suggest. Also makes for a cleaner overall  start.

Author Comment

ID: 39213024
We are planning to upgrade DCs to 2008, 2012 & Exchange 2013. Can you shed some light on how CLEANER OVERALL START will help? It's going to be more work i believe if we would have to create a new domain environment.
LVL 24

Assisted Solution

Sandeshdubey earned 50 total points
ID: 39215862
If you are creating new domain then the work will be large starting from creating object,rejoining machine to domain,profile migration,etc and many more.

However you can create new domain and do migration i.e you can have same user object and there will be no manual profile migration required.

If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.

You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

ADMT Guide: Migrating and Restructuring Active Directory Domains


ADMT Series

ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.

If you have a lot of mailboxes to migrate my recommendation is to consider a third party migration tool or a custom solution for mail routing (you can use a dummy SMTP address in the targetAddress attribute and a SMTP connector during the migration/co-existence to achieve this).
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
ID: 39215923
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.

I'm not sure what attributes from Windows 2003 will be left lying around after you change the functional level of your domain.

Have a look at the "features that are available at each domain functional level"

I would suggest upgrading your current root domain to Windows 2008/2012 DC's and then migrating the child domains using ADMT. In my opinion this solution requires the least re-design in my opinion.
LVL 20

Accepted Solution

Lazarus earned 100 total points
ID: 39216551
I'm not really into upgrades and I still side with going new. Upgrading brings all the old stuff... Junk and All... and depending on how old your domain is, there may well be a lot of crude. in the AD.

Obviously a new Domain would be more work, and take longer but you would have the option at that point to get things designed correctly for the new architecture before hand and have it ready to go.

I'm sure I'm not winning any points here, because I'm opting for a lot more work. Sometimes more work is better than a long drawn out headache.

Author Closing Comment

ID: 39217436
Thanks for your expert opinions. I am not going with upgrade in place, I am going with new domain environment. Creating new users, groups & joining servers with domain. I know it's A LOOOT more work as compared to collapsing the child domains but I am concerned about the possibility of moving attributes and objects to new domain.

what dvt_localboy has advised is right as well but it's not workable in my environment where my company has bought several small companies with different AD architecture.

Again Thanks guys
LVL 26

Expert Comment

by:Leon Fester
ID: 39217464
in my environment where my company has bought several small companies with different AD architecture.

if that is the current environment then you don't have child domains. In which case the new domain would be the preferred route. Just make sure you've set aside enough time for testing of all the AD-integrated applications.

Tip: Easiest way to get users onto the new domain is to build the new domain with AD and Exchange, setup the trusts and use the linked mailbox feature to migrate the email services first. It also shows your company some quick wins...even if the rest of the project gets delayed, at least all your users will be able to use the same email domains, if required.

I had a similar project for a large financial organization with 24 domains and 25000 users, 3 major sites in different cities.

Planning took the best part of a year, so don't rush it. Implementation took another 2 years, because of the lack of documentation from some of the sites and only discovering some AD integrated applications along the way.

I'd suggest investing some time/money into the Quest tools. Very handy little tool for migrations.
LVL 20

Expert Comment

ID: 39217567
@maliks12, what dvt_localboy is saying is good advice. Take your time, get it right and  think seriously about getting the Quest tools, they are worth it.. I don't think it would take you nearly as long as his past project, but a lot depends on how complex an environment you have.

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question