Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1122
  • Last Modified:

Migrating from one domain to another in the same forest

We currently have a single forest and a single domain this has been upgraded from NT to 2003 to 2008 Active Directory over the last 10 - 15 years.

I have been tasked with redesigning our Active Directory and Group Policies with an aim to make it more efficient and manageable.  However most of the contents has not be documented as to what it does and those that new have either forgotten or have left (just the start of my headache).  

As you can imagine it is like playing a big game of Jenga any little change to an account or group policy could potentially bring it all down.

What I wanted to do was create a brand new domain in the same forest and then rebuild all the machines and servers over time joining them to the new domain.  I would also be recreating groups and user accounts in the new domain.  While doing this I would want both domains to be able to see each other so will need a trust in place.

Can anyone see  any major issue in doing this, I have spoken to a number of individuals and they and suggested never ever doing this but I can not understand why?
0
WNottsC
Asked:
WNottsC
1 Solution
 
michaelalphiCommented:
Yes, you will have to create a new domain in your existing forest.
And usage of AD migration tool (ADMT V3) could be a suitable choice to facilitate migration and restructuring task in an active directory infrastructure.
Meanwhile, you can also check this helpful link for migration between the different domain.
0
 
WNottsCAuthor Commented:
thank you for this I had already researched the topic and found a number of tools.  My question is really around being told by a number of people in no uncertain terms it is the worst thing we could be thinking of doing.  

What are the advantages to doing this and what could the disastrous consequences be if we did?
0
 
MaheshArchitectCommented:
1st of all, reason provided by you for having separate domain is not valid to have separate domain.
Companies are trying to minimize AD domain footprints as much as possible when they have multiple domains within single company.
In below scenarios you may find separate AD domains:
Company mergers \ acquisitions
new implementations
Legal reasons \ political interests
From manageability and simplicity, single domain single forest is one of the best model which I think you already have.
Also if you have MS Exchange, then its getting more complicated.

Its much easier for you to setup new domain in a forest (within 5 Minutes), but migration is not easy game.
Its not only limited to users and computers, but it will affect your application servers, infra servers and so on. When things came to applications, the scenario becomes complicated
You need to modify applications configurations, also need to maintain co-existence scenarios and so on.
Also this involves computer migration which is also not painless activity.
There are lot of prerequisites you need to take care before starting migration project.
For gaining IT experience towards migration, this is good project.

But From management point of view this is never painless activity

I think you could streamline your existing active directory by hiring some directory specialist \ consultant, its not a big deal.
there is TechNet documentation available about AD best practises.

For migration initiative also you would require directory specialist, but you would also require application specialists, network specialists

In short I don't see any good reason for creating new domain and migration

Mahesh
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now