Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


New Active Directory Domain or Upgrade existing?

Posted on 2013-06-03
Medium Priority
Last Modified: 2013-06-19
Presently we have a 2003 Active Directory domain in native mode. We have a project on tap and needs to go from 2003 to 2012.

We have 11 sites, 2 forests (1 forest is a parent domain with 6 child domains and the other is 1 domain).

We have a lot of group policies, file servers with various permissions and groups. 30 or so DC's etc.

The admins and myself are really nervous about this.

1) Some say keep the same domain xyz.loc, collapse all the child domains ( into it, and migrate the other forest that has 1 domain into xyz.loc. Upgrade all DC's and be done

2) Some say create a entirely new domain from scratch, create new users, recreate groups, permissions, group policies etc., New DC's etc.

3) We're also upgrading our Exchange server from 2003 to 2007 or 2013

We have over 2000 users, and it's a complicated setup. Our users can't be inconveniced much. We run a 24-7 shop and it's healthcare. I need to go to 2012 but I can't have this drag out months and months.

Advice and direction needed.
Question by:bernardb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 39216933
sounds a great challenge.

You can't do in-place upgrades of your Win 2k3 domain controllers, however you can introduce 2012 DCs into the environment and then remove the existing DCs when you're ready.

check this article

I would go with option 1 that you mentioned. Creating everything again is insane and also the downtime its much higher that just migrating everything.

Do you have this setup on a virtual environment or a normal environment with physical servers?
LVL 96

Accepted Solution

Lee W, MVP earned 2000 total points
ID: 39216956
You have a difficult situation, clearly and I would question your sanity if you made your decision based solely on advice offered here for that large of an organization.

I would suggest contacting a company that performs migrations on a regular basis so that you have expert hands and minds working with you.

That said, based on the very limited understanding and interpretation of your configuration, I would probably say to start over, especially if you're using ".loc" as a domain name.  SSL certificates will no longer be issued to non-valid domains in the near future and this can complicate your security configurations.  Further, having multiple child domains is not recommended - in the NT4 days, it was almost required for an organization like yours, but today, and indeed, the migration docs for NT4 to 2000 wanted you to collapse your existing domain structure as much as possible BEFORE moving to AD.  So, looking at what you've listed, I would break out Microsoft Project and start planning a new domain structure.  I don't know how large your team is, but I would probably favor a plan something like this:

1. Build a new domain in the form of "" - use a domain name that, IF DNS is configured (in)appropriately, you can reach from the internet.  KEEP IT FLAT.  ONE DOMAIN.  No child domains.  Create OUs to segregate departments and/or locations and potentially provide unique administrative access to those OUs while keeping domain admins FEW.

2. Create a trust between your existing domain and the new domain so that your users can access files as they are migrated to the new domain.

3. Go Site by Site, Department by Department and migrate users to the new setup.  With 2000 users, even if you did 10 per day, it would still take you ONE YEAR to migrate everyone... And to start, I wouldn't do more than 10 per day... maybe after a month or two, when you've generally worked out the bugs in the migration process, then you can expand that to 20-50 per day... but even then, be wary of users in site A who do things one way and users who may have the same basic job in site B that do things a different way - just because you work out the bugs in site A migration doesn't mean there won't be potentially HUGE bugs in the site B migration.

Some things may transfer over easily, others may be domain dependent and may require re-installation/migration.  It's very important to inventory (by product) everything your sites use and contact the vendors to understand what requirements they may have.

I worked with a team 13 years ago migrating users from NT4 domains to a new AD domain in a 1000 person network... I think it took us 6 months and we went department by department in each building.

Fast, Cheap, Easy - pick two - you're not going to get all three.

Author Comment

ID: 39217017
Ok, 2 opposing views on the 1st 2 comments

@leew i just came up with xyx.loc. it's actually presently.

We talked to a outside company that does domain migrations and they were leaning toward an entirely new AD domain, with no trust between the old and proposed newly created domain and creating users and everything else from scratch. I'm horrified at this idea, the work it would involve and the disruption to the user community. Why a new domain, why not collapse the child domains after upgrading to 2012 or before upgrading to 2012?

@rsilva98...yes, we would rebuild our present DC one at a time to the new OS and the DC's that couldn't handle it we would get new DC's. Right now, these are physical DC's we have in place.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 96

Expert Comment

by:Lee W, MVP
ID: 39217242
Domain rename is not an option in an AD that has Exchange, but if your network already has a proper domain name (.org), then I would definitely start flattening the domain instead of building from scratch.

Run a DCDIAG /C /E /V (go home and check the results in the morning) from each DC to verify AD health, then you can start migrating to AD in 2012. Of course, I'd pull off a couple of the existing VMs (you ARE virtualizing, right?) and setup a test network to verify things work as expected... but rebuilding from scratch if you have a perfectly valid domain name... that doesn't make sense.  I only suggested it based on my interpretation of what you wrote to start and knowing the AD/Exchange/SSL issues you might face.
LVL 26

Expert Comment

by:Leon Fester
ID: 39217509
My 5c = upgrade and collapse the child domains.
Most of the reasons have been listed by leew.
See similar discussion
... in a slightly different scenario, but maybe it helps your thought process and helps with questions you should be asking yourself.

Expert Comment

ID: 39217641
Its not doable creating everything from scratch. Are you considering go virtual ? you could decrease the amount of time by virtualize your infra structure. Also you would have an environment on the fly witch means you can test things up before migrate the production environment and roll back if something goes wrong.

Author Closing Comment

ID: 39259673
I'm contacting companies that do this for a living! Thanks....

I want to collapse our domains into one...upgrade and replace DC's as needed to support the upgraded OS / AD....

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question