Solved

New Domain vs Domain collapse

Posted on 2013-05-31
8
1,080 Views
Last Modified: 2013-06-03
Hi Experts,
I have given a task to get information on domain migration,
We have windows 2003 DCs with 1 parent xxx.com and 10 child domains yyy.xxx.com. We have about 1600 users in parent and child domains. At least 80 Security and Distribution groups in each domain.
We are planning to get rid of child domains and keep only 1 parent domain as xxx.com

I need your suggestion weather we should collapse the existing child domains and use xxx.com as new domain environment or create a new domain environment using a new name like zzz.com & create 1600 users but I am sure we don't have to create a lot of groups

I spoke with consultant and they are advising to create  new domain environment zzz.com.
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.
0
Comment
Question by:maliks121
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:Lazarus
ID: 39212020
You fail to state if you are staying with 2003 as the domain architecture or upgrading to 2008 or 2012? If that's relevant, it should be mentioned. But they are correct that collapsing the subdomain might not pickup the proper attributes for those coming into the original domain. Better to start a new domain as they suggest. Also makes for a cleaner overall  start.
0
 

Author Comment

by:maliks121
ID: 39213024
We are planning to upgrade DCs to 2008, 2012 & Exchange 2013. Can you shed some light on how CLEANER OVERALL START will help? It's going to be more work i believe if we would have to create a new domain environment.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 50 total points
ID: 39215862
If you are creating new domain then the work will be large starting from creating object,rejoining machine to domain,profile migration,etc and many more.

However you can create new domain and do migration i.e you can have same user object and there will be no manual profile migration required.

If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.

You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

ADMT Series
http://blog.thesysadmins.co.uk/category/admt

ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.

If you have a lot of mailboxes to migrate my recommendation is to consider a third party migration tool or a custom solution for mail routing (you can use a dummy SMTP address in the targetAddress attribute and a SMTP connector during the migration/co-existence to achieve this).
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
ID: 39215923
Reason they are giving is, new domain will not have the attributes from windows 2003, that they believe could affect the performance of the new domain environment.

I'm not sure what attributes from Windows 2003 will be left lying around after you change the functional level of your domain.

Have a look at the "features that are available at each domain functional level"
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

I would suggest upgrading your current root domain to Windows 2008/2012 DC's and then migrating the child domains using ADMT. In my opinion this solution requires the least re-design in my opinion.
0
 
LVL 20

Accepted Solution

by:
Lazarus earned 100 total points
ID: 39216551
I'm not really into upgrades and I still side with going new. Upgrading brings all the old stuff... Junk and All... and depending on how old your domain is, there may well be a lot of crude. in the AD.

Obviously a new Domain would be more work, and take longer but you would have the option at that point to get things designed correctly for the new architecture before hand and have it ready to go.

I'm sure I'm not winning any points here, because I'm opting for a lot more work. Sometimes more work is better than a long drawn out headache.
0
 

Author Closing Comment

by:maliks121
ID: 39217436
Thanks for your expert opinions. I am not going with upgrade in place, I am going with new domain environment. Creating new users, groups & joining servers with domain. I know it's A LOOOT more work as compared to collapsing the child domains but I am concerned about the possibility of moving attributes and objects to new domain.

what dvt_localboy has advised is right as well but it's not workable in my environment where my company has bought several small companies with different AD architecture.

Again Thanks guys
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39217464
in my environment where my company has bought several small companies with different AD architecture.


if that is the current environment then you don't have child domains. In which case the new domain would be the preferred route. Just make sure you've set aside enough time for testing of all the AD-integrated applications.

Tip: Easiest way to get users onto the new domain is to build the new domain with AD and Exchange, setup the trusts and use the linked mailbox feature to migrate the email services first. It also shows your company some quick wins...even if the rest of the project gets delayed, at least all your users will be able to use the same email domains, if required.

I had a similar project for a large financial organization with 24 domains and 25000 users, 3 major sites in different cities.

Planning took the best part of a year, so don't rush it. Implementation took another 2 years, because of the lack of documentation from some of the sites and only discovering some AD integrated applications along the way.

I'd suggest investing some time/money into the Quest tools. Very handy little tool for migrations.
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39217567
@maliks12, what dvt_localboy is saying is good advice. Take your time, get it right and  think seriously about getting the Quest tools, they are worth it.. I don't think it would take you nearly as long as his past project, but a lot depends on how complex an environment you have.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question