Solved

AD upgrade/migration

Posted on 2014-03-19
1
219 Views
Last Modified: 2014-03-21
I am asking for some high-level AD design/migration assistance.  We have two small (<100 users) AD domains (on Server 2003) which are separated by a firewall.   Domain A is behind the firewall and Domain B is outside the firewall currently.  We will eventually be moving Domain B to be behind the firewall.   We want to upgrade to Server 2008 which will require new physical domain controllers as we cannot upgrade in place on this hardware.   We have come up with two options:

1)      Build a new domain controller with Server 2008 on new hardware, setup trust with Domain A and migrate Domain A objects to new domain.  Repeat for Domain B as it moves behind the firewall
a.      Will we be able to use a trust and ADMT work through a firewall?
b.      We see a benefit to be able to ‘clean up’ the domain structure by building a new domain – but it also would require more effort to build from scratch.

2)      Build a new domain controller with Server 2008 on new hardware in Domain A, setup trust with Domain B and migrate objects to domain A
a.       This leaves us with the old “messy” domain objects but we are experienced and comfortable with this process.

Also, any guidance with how to configure DNS for these trusts would be especially helpful.  Any advice or suggestions would be appreciated.  Thanks.
0
Comment
Question by:sepparker
1 Comment
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39941787
2a: This one first because it may well be the easiest path.

If there's nothing fundamentally broken with your domain then you could do just that. Ultimately you'll have to go through the same identification and re-organisation exercise whether you kill off the first domain or not.

The clear advantage of keeping the first domain is that you don't have to worry about ADMT rewriting profiles, or moving services, etc etc.

1a: If you use NAT on the firewall (between the two forests) it will be exceptionally difficult to get a trust working.

If there's no NAT, it's just a question of firewall rules.

Obviously allowing any IP protocol (and port) is the simplest rule. If it must be locked down you'll have to do a bit more digging.

To start you off:
 - LDAP (TCP/389)
 - Kerberos (TCP and UDP/88)
 - RPC end point mapper (TCP/135)
 - DNS (TCP and UDP 53, TCP for zone transfers)

You may need NetBIOS too, but it's not a hard requirement; it depends on your environment, we haven't truly needed it since Windows NT.

RPC is normally the tricky one. All the end-point mapper does is negotiate use of a high-numbered port. Your firewall would need to be able to inspect RPC traffic to open appropriate pin-holes, if it cannot inspect RPC you'll have to open up the entire ephemeral range.

1b: Agreed, it often requires a fair bit of analysis to ensure you capture everything. ADMT will help with a lot, but perhaps not everything.

DNS for the trusts:

All you need is for each domain to be able to resolve names in the other. This can be achieved using Conditional Forwarding, Stub Zones or Zone Transfer.

The note about NAT is imperative here, if you don't NAT this is no real problem, if you do name resolution is a significant hurdle.

Chris
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question