[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 685
  • Last Modified:

New Active Directory Domain or Upgrade existing?

Presently we have a 2003 Active Directory domain in native mode. We have a project on tap and needs to go from 2003 to 2012.

We have 11 sites, 2 forests (1 forest is a parent domain with 6 child domains and the other is 1 domain).

We have a lot of group policies, file servers with various permissions and groups. 30 or so DC's etc.

The admins and myself are really nervous about this.

1) Some say keep the same domain xyz.loc, collapse all the child domains (xxx.xyz.loc) into it, and migrate the other forest that has 1 domain into xyz.loc. Upgrade all DC's and be done

2) Some say create a entirely new domain from scratch, create new users, recreate groups, permissions, group policies etc., New DC's etc.

3) We're also upgrading our Exchange server from 2003 to 2007 or 2013

We have over 2000 users, and it's a complicated setup. Our users can't be inconveniced much. We run a 24-7 shop and it's healthcare. I need to go to 2012 but I can't have this drag out months and months.

Advice and direction needed.
  • 2
  • 2
  • 2
  • +1
1 Solution
sounds a great challenge.

You can't do in-place upgrades of your Win 2k3 domain controllers, however you can introduce 2012 DCs into the environment and then remove the existing DCs when you're ready.

check this article

I would go with option 1 that you mentioned. Creating everything again is insane and also the downtime its much higher that just migrating everything.

Do you have this setup on a virtual environment or a normal environment with physical servers?
Lee W, MVPTechnology and Business Process AdvisorCommented:
You have a difficult situation, clearly and I would question your sanity if you made your decision based solely on advice offered here for that large of an organization.

I would suggest contacting a company that performs migrations on a regular basis so that you have expert hands and minds working with you.

That said, based on the very limited understanding and interpretation of your configuration, I would probably say to start over, especially if you're using ".loc" as a domain name.  SSL certificates will no longer be issued to non-valid domains in the near future and this can complicate your security configurations.  Further, having multiple child domains is not recommended - in the NT4 days, it was almost required for an organization like yours, but today, and indeed, the migration docs for NT4 to 2000 wanted you to collapse your existing domain structure as much as possible BEFORE moving to AD.  So, looking at what you've listed, I would break out Microsoft Project and start planning a new domain structure.  I don't know how large your team is, but I would probably favor a plan something like this:

1. Build a new domain in the form of "ad.businessdomain.com" - use a domain name that, IF DNS is configured (in)appropriately, you can reach from the internet.  KEEP IT FLAT.  ONE DOMAIN.  No child domains.  Create OUs to segregate departments and/or locations and potentially provide unique administrative access to those OUs while keeping domain admins FEW.

2. Create a trust between your existing domain and the new domain so that your users can access files as they are migrated to the new domain.

3. Go Site by Site, Department by Department and migrate users to the new setup.  With 2000 users, even if you did 10 per day, it would still take you ONE YEAR to migrate everyone... And to start, I wouldn't do more than 10 per day... maybe after a month or two, when you've generally worked out the bugs in the migration process, then you can expand that to 20-50 per day... but even then, be wary of users in site A who do things one way and users who may have the same basic job in site B that do things a different way - just because you work out the bugs in site A migration doesn't mean there won't be potentially HUGE bugs in the site B migration.

Some things may transfer over easily, others may be domain dependent and may require re-installation/migration.  It's very important to inventory (by product) everything your sites use and contact the vendors to understand what requirements they may have.

I worked with a team 13 years ago migrating users from NT4 domains to a new AD domain in a 1000 person network... I think it took us 6 months and we went department by department in each building.

Fast, Cheap, Easy - pick two - you're not going to get all three.
bernardbAuthor Commented:
Ok, 2 opposing views on the 1st 2 comments

@leew i just came up with xyx.loc. it's actually xyz.org presently.

We talked to a outside company that does domain migrations and they were leaning toward an entirely new AD domain, with no trust between the old and proposed newly created domain and creating users and everything else from scratch. I'm horrified at this idea, the work it would involve and the disruption to the user community. Why a new domain, why not collapse the child domains after upgrading to 2012 or before upgrading to 2012?

@rsilva98...yes, we would rebuild our present DC one at a time to the new OS and the DC's that couldn't handle it we would get new DC's. Right now, these are physical DC's we have in place.

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Domain rename is not an option in an AD that has Exchange, but if your network already has a proper domain name (.org), then I would definitely start flattening the domain instead of building from scratch.

Run a DCDIAG /C /E /V (go home and check the results in the morning) from each DC to verify AD health, then you can start migrating to AD in 2012. Of course, I'd pull off a couple of the existing VMs (you ARE virtualizing, right?) and setup a test network to verify things work as expected... but rebuilding from scratch if you have a perfectly valid domain name... that doesn't make sense.  I only suggested it based on my interpretation of what you wrote to start and knowing the AD/Exchange/SSL issues you might face.
Leon FesterIT Project Change ManagerCommented:
My 5c = upgrade and collapse the child domains.
Most of the reasons have been listed by leew.
See similar discussion
... in a slightly different scenario, but maybe it helps your thought process and helps with questions you should be asking yourself.
Its not doable creating everything from scratch. Are you considering go virtual ? you could decrease the amount of time by virtualize your infra structure. Also you would have an environment on the fly witch means you can test things up before migrate the production environment and roll back if something goes wrong.
bernardbAuthor Commented:
I'm contacting companies that do this for a living! Thanks....

I want to collapse our domains into one...upgrade and replace DC's as needed to support the upgraded OS / AD....

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now