Migrating from one domain to another in the same forest

Posted on 2014-01-30
Last Modified: 2014-06-11
We currently have a single forest and a single domain this has been upgraded from NT to 2003 to 2008 Active Directory over the last 10 - 15 years.

I have been tasked with redesigning our Active Directory and Group Policies with an aim to make it more efficient and manageable.  However most of the contents has not be documented as to what it does and those that new have either forgotten or have left (just the start of my headache).  

As you can imagine it is like playing a big game of Jenga any little change to an account or group policy could potentially bring it all down.

What I wanted to do was create a brand new domain in the same forest and then rebuild all the machines and servers over time joining them to the new domain.  I would also be recreating groups and user accounts in the new domain.  While doing this I would want both domains to be able to see each other so will need a trust in place.

Can anyone see  any major issue in doing this, I have spoken to a number of individuals and they and suggested never ever doing this but I can not understand why?
Question by:WNottsC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 39820511
Yes, you will have to create a new domain in your existing forest.
And usage of AD migration tool (ADMT V3) could be a suitable choice to facilitate migration and restructuring task in an active directory infrastructure.
Meanwhile, you can also check this helpful link for migration between the different domain.

Author Comment

ID: 39823417
thank you for this I had already researched the topic and found a number of tools.  My question is really around being told by a number of people in no uncertain terms it is the worst thing we could be thinking of doing.  

What are the advantages to doing this and what could the disastrous consequences be if we did?
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39828150
1st of all, reason provided by you for having separate domain is not valid to have separate domain.
Companies are trying to minimize AD domain footprints as much as possible when they have multiple domains within single company.
In below scenarios you may find separate AD domains:
Company mergers \ acquisitions
new implementations
Legal reasons \ political interests
From manageability and simplicity, single domain single forest is one of the best model which I think you already have.
Also if you have MS Exchange, then its getting more complicated.

Its much easier for you to setup new domain in a forest (within 5 Minutes), but migration is not easy game.
Its not only limited to users and computers, but it will affect your application servers, infra servers and so on. When things came to applications, the scenario becomes complicated
You need to modify applications configurations, also need to maintain co-existence scenarios and so on.
Also this involves computer migration which is also not painless activity.
There are lot of prerequisites you need to take care before starting migration project.
For gaining IT experience towards migration, this is good project.

But From management point of view this is never painless activity

I think you could streamline your existing active directory by hiring some directory specialist \ consultant, its not a big deal.
there is TechNet documentation available about AD best practises.

For migration initiative also you would require directory specialist, but you would also require application specialists, network specialists

In short I don't see any good reason for creating new domain and migration


Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question