Active Directory Forest

Hi

So currently we are looking to break out of a AD forest. The root forest is in a different country. 2 x DC's (GC's) are deployed in the UK. Both DC's are 2003. We cannot seize the FSMO roles, and need to break out with the best possible solution. I can't see anything else applicable apart from creating a new forest, and moving all our servers/workstations over into the new forest.

Any suggestions would be welcome.
sessionhost4htyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Yes you would need to create a new forest and migrate your objects to the new forest.  You can use the AD migration tool http://blogs.technet.com/b/askds/archive/2010/06/19/admt-3-2-released.aspx

There are also third party tools.

Seizing would is only used if the operations master is down and not coming back.  

By the way people have requested what you want as a feature. Sometimes referred to as "prune and graft".  Can't be done (wish it could).  More on that below

http://blogs.technet.com/b/activedirectoryua/archive/2009/10/01/mergers-acquisitions-or-reorganizations-may-have-you-considering-active-directory-restructuring.aspx

Thanks


Mike
0
Life1430Sr EngineerCommented:
If you don't have any problem with domain/forest name then you can break physical connectivity of these two DC's with other Domain controllers and seize the roles followed by metadata cleanup of the DC's from which you have broken the physical connectivity ..later after 30 days you can remove the stale objects so you will be having objects which is in use
In above solution you will be saved from migration of profile/users etc but domain name will be same.
0
SandeshdubeySenior Server EngineerCommented:
How is your AD design single domain or multiple domain the forest.Assuming that if it is parent-child arhitecture then you need to create new domain and perfrom cross migration.

If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

ADMT Series
http://blog.thesysadmins.co.uk/category/admt

If you have single domain multiple site arhitecture you can break connectivity and perform seize and metadata as suggested by sarang.

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

sessionhost4htyAuthor Commented:
Thanks guys - I'm sure it's multiple domain, empty root with child domains but I'll check. Sounds like I need to spin up a test single domain forest and start getting used to ADMT.

Do Microsoft still recommend a empty root if utilising a multiple domain forest structure or just an easy single domain?
0
Mike KlineCommented:
Single domain as the forest is the security boundary.  Years ago it was the recommendation so there are still a lot around. (we have one where I am)

more on the empty root   http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx#adempty

Thanks

Mike
0
sessionhost4htyAuthor Commented:
Thank Mike. We do have an empty root domain in our forest, with a child domain. Why with a empty forest root, can we not choose option 1 and keep existing domain name, cut network links, after 30 days seize FSMO roles and perform metadata clean-up?
0
Mike KlineCommented:
You could do it that way but I personally prefer staring in a clean environment that I know is good  The other way there is a lot of cleanup.  Honestly I've never broken off like that in production.

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.