Solved

New Active Directory Domain or Upgrade existing?

Posted on 2013-06-03
7
664 Views
Last Modified: 2013-06-19
Presently we have a 2003 Active Directory domain in native mode. We have a project on tap and needs to go from 2003 to 2012.

We have 11 sites, 2 forests (1 forest is a parent domain with 6 child domains and the other is 1 domain).

We have a lot of group policies, file servers with various permissions and groups. 30 or so DC's etc.

The admins and myself are really nervous about this.

1) Some say keep the same domain xyz.loc, collapse all the child domains (xxx.xyz.loc) into it, and migrate the other forest that has 1 domain into xyz.loc. Upgrade all DC's and be done

2) Some say create a entirely new domain from scratch, create new users, recreate groups, permissions, group policies etc., New DC's etc.

3) We're also upgrading our Exchange server from 2003 to 2007 or 2013

We have over 2000 users, and it's a complicated setup. Our users can't be inconveniced much. We run a 24-7 shop and it's healthcare. I need to go to 2012 but I can't have this drag out months and months.

Advice and direction needed.
0
Comment
Question by:bernardb
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39216933
sounds a great challenge.

You can't do in-place upgrades of your Win 2k3 domain controllers, however you can introduce 2012 DCs into the environment and then remove the existing DCs when you're ready.

check this article

I would go with option 1 that you mentioned. Creating everything again is insane and also the downtime its much higher that just migrating everything.

Do you have this setup on a virtual environment or a normal environment with physical servers?
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 39216956
You have a difficult situation, clearly and I would question your sanity if you made your decision based solely on advice offered here for that large of an organization.

I would suggest contacting a company that performs migrations on a regular basis so that you have expert hands and minds working with you.

That said, based on the very limited understanding and interpretation of your configuration, I would probably say to start over, especially if you're using ".loc" as a domain name.  SSL certificates will no longer be issued to non-valid domains in the near future and this can complicate your security configurations.  Further, having multiple child domains is not recommended - in the NT4 days, it was almost required for an organization like yours, but today, and indeed, the migration docs for NT4 to 2000 wanted you to collapse your existing domain structure as much as possible BEFORE moving to AD.  So, looking at what you've listed, I would break out Microsoft Project and start planning a new domain structure.  I don't know how large your team is, but I would probably favor a plan something like this:

1. Build a new domain in the form of "ad.businessdomain.com" - use a domain name that, IF DNS is configured (in)appropriately, you can reach from the internet.  KEEP IT FLAT.  ONE DOMAIN.  No child domains.  Create OUs to segregate departments and/or locations and potentially provide unique administrative access to those OUs while keeping domain admins FEW.

2. Create a trust between your existing domain and the new domain so that your users can access files as they are migrated to the new domain.

3. Go Site by Site, Department by Department and migrate users to the new setup.  With 2000 users, even if you did 10 per day, it would still take you ONE YEAR to migrate everyone... And to start, I wouldn't do more than 10 per day... maybe after a month or two, when you've generally worked out the bugs in the migration process, then you can expand that to 20-50 per day... but even then, be wary of users in site A who do things one way and users who may have the same basic job in site B that do things a different way - just because you work out the bugs in site A migration doesn't mean there won't be potentially HUGE bugs in the site B migration.

Some things may transfer over easily, others may be domain dependent and may require re-installation/migration.  It's very important to inventory (by product) everything your sites use and contact the vendors to understand what requirements they may have.

I worked with a team 13 years ago migrating users from NT4 domains to a new AD domain in a 1000 person network... I think it took us 6 months and we went department by department in each building.

Fast, Cheap, Easy - pick two - you're not going to get all three.
0
 

Author Comment

by:bernardb
ID: 39217017
Ok, 2 opposing views on the 1st 2 comments

@leew i just came up with xyx.loc. it's actually xyz.org presently.

We talked to a outside company that does domain migrations and they were leaning toward an entirely new AD domain, with no trust between the old and proposed newly created domain and creating users and everything else from scratch. I'm horrified at this idea, the work it would involve and the disruption to the user community. Why a new domain, why not collapse the child domains after upgrading to 2012 or before upgrading to 2012?

@rsilva98...yes, we would rebuild our present DC one at a time to the new OS and the DC's that couldn't handle it we would get new DC's. Right now, these are physical DC's we have in place.

Thanks
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39217242
Domain rename is not an option in an AD that has Exchange, but if your network already has a proper domain name (.org), then I would definitely start flattening the domain instead of building from scratch.

Run a DCDIAG /C /E /V (go home and check the results in the morning) from each DC to verify AD health, then you can start migrating to AD in 2012. Of course, I'd pull off a couple of the existing VMs (you ARE virtualizing, right?) and setup a test network to verify things work as expected... but rebuilding from scratch if you have a perfectly valid domain name... that doesn't make sense.  I only suggested it based on my interpretation of what you wrote to start and knowing the AD/Exchange/SSL issues you might face.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39217509
My 5c = upgrade and collapse the child domains.
Most of the reasons have been listed by leew.
See similar discussion
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28144538.html#a39215923
... in a slightly different scenario, but maybe it helps your thought process and helps with questions you should be asking yourself.
0
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39217641
Its not doable creating everything from scratch. Are you considering go virtual ? you could decrease the amount of time by virtualize your infra structure. Also you would have an environment on the fly witch means you can test things up before migrate the production environment and roll back if something goes wrong.
0
 

Author Closing Comment

by:bernardb
ID: 39259673
I'm contacting companies that do this for a living! Thanks....

I want to collapse our domains into one...upgrade and replace DC's as needed to support the upgraded OS / AD....
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now