Solved

New Domain vs Domain collapse

Posted on 2013-05-31
8
1,042 Views
Last Modified: 2013-06-03
Hi Experts,
I have given a task to get information on domain migration,
We have windows 2003 DCs with 1 parent xxx.com and 10 child domains yyy.xxx.com. We have about 1600 users in parent and child domains. At least 80 Security and Distribution groups in each domain.
We are planning to get rid of child domains and keep only 1 parent domain as xxx.com

I need your suggestion weather we should collapse the existing child domains and use xxx.com as new domain environment or create a new domain environment using a new name like zzz.com & create 1600 users but I am sure we don't have to create a lot of groups

I spoke with consultant and they are advising to create  new domain environment zzz.com.
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.
0
Comment
Question by:maliks121
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:Lazarus
Comment Utility
You fail to state if you are staying with 2003 as the domain architecture or upgrading to 2008 or 2012? If that's relevant, it should be mentioned. But they are correct that collapsing the subdomain might not pickup the proper attributes for those coming into the original domain. Better to start a new domain as they suggest. Also makes for a cleaner overall  start.
0
 

Author Comment

by:maliks121
Comment Utility
We are planning to upgrade DCs to 2008, 2012 & Exchange 2013. Can you shed some light on how CLEANER OVERALL START will help? It's going to be more work i believe if we would have to create a new domain environment.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 50 total points
Comment Utility
If you are creating new domain then the work will be large starting from creating object,rejoining machine to domain,profile migration,etc and many more.

However you can create new domain and do migration i.e you can have same user object and there will be no manual profile migration required.

If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.

You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

ADMT Series
http://blog.thesysadmins.co.uk/category/admt

ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.

If you have a lot of mailboxes to migrate my recommendation is to consider a third party migration tool or a custom solution for mail routing (you can use a dummy SMTP address in the targetAddress attribute and a SMTP connector during the migration/co-existence to achieve this).
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
Comment Utility
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.

I'm not sure what attributes from Windows 2003 will be left lying around after you change the functional level of your domain.

Have a look at the "features that are available at each domain functional level"
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

I would suggest upgrading your current root domain to Windows 2008/2012 DC's and then migrating the child domains using ADMT. In my opinion this solution requires the least re-design in my opinion.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 20

Accepted Solution

by:
Lazarus earned 100 total points
Comment Utility
I'm not really into upgrades and I still side with going new. Upgrading brings all the old stuff... Junk and All... and depending on how old your domain is, there may well be a lot of crude. in the AD.

Obviously a new Domain would be more work, and take longer but you would have the option at that point to get things designed correctly for the new architecture before hand and have it ready to go.

I'm sure I'm not winning any points here, because I'm opting for a lot more work. Sometimes more work is better than a long drawn out headache.
0
 

Author Closing Comment

by:maliks121
Comment Utility
Thanks for your expert opinions. I am not going with upgrade in place, I am going with new domain environment. Creating new users, groups & joining servers with domain. I know it's A LOOOT more work as compared to collapsing the child domains but I am concerned about the possibility of moving attributes and objects to new domain.

what dvt_localboy has advised is right as well but it's not workable in my environment where my company has bought several small companies with different AD architecture.

Again Thanks guys
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
in my environment where my company has bought several small companies with different AD architecture.


if that is the current environment then you don't have child domains. In which case the new domain would be the preferred route. Just make sure you've set aside enough time for testing of all the AD-integrated applications.

Tip: Easiest way to get users onto the new domain is to build the new domain with AD and Exchange, setup the trusts and use the linked mailbox feature to migrate the email services first. It also shows your company some quick wins...even if the rest of the project gets delayed, at least all your users will be able to use the same email domains, if required.

I had a similar project for a large financial organization with 24 domains and 25000 users, 3 major sites in different cities.

Planning took the best part of a year, so don't rush it. Implementation took another 2 years, because of the lack of documentation from some of the sites and only discovering some AD integrated applications along the way.

I'd suggest investing some time/money into the Quest tools. Very handy little tool for migrations.
0
 
LVL 20

Expert Comment

by:Lazarus
Comment Utility
@maliks12, what dvt_localboy is saying is good advice. Take your time, get it right and  think seriously about getting the Quest tools, they are worth it.. I don't think it would take you nearly as long as his past project, but a lot depends on how complex an environment you have.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now