sessionhost4hty
asked on
Active Directory Forest
Hi
So currently we are looking to break out of a AD forest. The root forest is in a different country. 2 x DC's (GC's) are deployed in the UK. Both DC's are 2003. We cannot seize the FSMO roles, and need to break out with the best possible solution. I can't see anything else applicable apart from creating a new forest, and moving all our servers/workstations over into the new forest.
Any suggestions would be welcome.
So currently we are looking to break out of a AD forest. The root forest is in a different country. 2 x DC's (GC's) are deployed in the UK. Both DC's are 2003. We cannot seize the FSMO roles, and need to break out with the best possible solution. I can't see anything else applicable apart from creating a new forest, and moving all our servers/workstations over into the new forest.
Any suggestions would be welcome.
If you don't have any problem with domain/forest name then you can break physical connectivity of these two DC's with other Domain controllers and seize the roles followed by metadata cleanup of the DC's from which you have broken the physical connectivity ..later after 30 days you can remove the stale objects so you will be having objects which is in use
In above solution you will be saved from migration of profile/users etc but domain name will be same.
In above solution you will be saved from migration of profile/users etc but domain name will be same.
How is your AD design single domain or multiple domain the forest.Assuming that if it is parent-child arhitecture then you need to create new domain and perfrom cross migration.
If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.
ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx
MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx
ADMT Series
http://blog.thesysadmins.co.uk/category/admt
If you have single domain multiple site arhitecture you can break connectivity and perform seize and metadata as suggested by sarang.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.
ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx
MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx
ADMT Series
http://blog.thesysadmins.co.uk/category/admt
If you have single domain multiple site arhitecture you can break connectivity and perform seize and metadata as suggested by sarang.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
ASKER
Thanks guys - I'm sure it's multiple domain, empty root with child domains but I'll check. Sounds like I need to spin up a test single domain forest and start getting used to ADMT.
Do Microsoft still recommend a empty root if utilising a multiple domain forest structure or just an easy single domain?
Do Microsoft still recommend a empty root if utilising a multiple domain forest structure or just an easy single domain?
Single domain as the forest is the security boundary. Years ago it was the recommendation so there are still a lot around. (we have one where I am)
more on the empty root http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx#adempty
Thanks
Mike
more on the empty root http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx#adempty
Thanks
Mike
ASKER
Thank Mike. We do have an empty root domain in our forest, with a child domain. Why with a empty forest root, can we not choose option 1 and keep existing domain name, cut network links, after 30 days seize FSMO roles and perform metadata clean-up?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are also third party tools.
Seizing would is only used if the operations master is down and not coming back.
By the way people have requested what you want as a feature. Sometimes referred to as "prune and graft". Can't be done (wish it could). More on that below
http://blogs.technet.com/b/activedirectoryua/archive/2009/10/01/mergers-acquisitions-or-reorganizations-may-have-you-considering-active-directory-restructuring.aspx
Thanks
Mike