Solved

AD upgrade/migration

Posted on 2014-03-19
1
221 Views
Last Modified: 2014-03-21
I am asking for some high-level AD design/migration assistance.  We have two small (<100 users) AD domains (on Server 2003) which are separated by a firewall.   Domain A is behind the firewall and Domain B is outside the firewall currently.  We will eventually be moving Domain B to be behind the firewall.   We want to upgrade to Server 2008 which will require new physical domain controllers as we cannot upgrade in place on this hardware.   We have come up with two options:

1)      Build a new domain controller with Server 2008 on new hardware, setup trust with Domain A and migrate Domain A objects to new domain.  Repeat for Domain B as it moves behind the firewall
a.      Will we be able to use a trust and ADMT work through a firewall?
b.      We see a benefit to be able to ‘clean up’ the domain structure by building a new domain – but it also would require more effort to build from scratch.

2)      Build a new domain controller with Server 2008 on new hardware in Domain A, setup trust with Domain B and migrate objects to domain A
a.       This leaves us with the old “messy” domain objects but we are experienced and comfortable with this process.

Also, any guidance with how to configure DNS for these trusts would be especially helpful.  Any advice or suggestions would be appreciated.  Thanks.
0
Comment
Question by:sepparker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39941787
2a: This one first because it may well be the easiest path.

If there's nothing fundamentally broken with your domain then you could do just that. Ultimately you'll have to go through the same identification and re-organisation exercise whether you kill off the first domain or not.

The clear advantage of keeping the first domain is that you don't have to worry about ADMT rewriting profiles, or moving services, etc etc.

1a: If you use NAT on the firewall (between the two forests) it will be exceptionally difficult to get a trust working.

If there's no NAT, it's just a question of firewall rules.

Obviously allowing any IP protocol (and port) is the simplest rule. If it must be locked down you'll have to do a bit more digging.

To start you off:
 - LDAP (TCP/389)
 - Kerberos (TCP and UDP/88)
 - RPC end point mapper (TCP/135)
 - DNS (TCP and UDP 53, TCP for zone transfers)

You may need NetBIOS too, but it's not a hard requirement; it depends on your environment, we haven't truly needed it since Windows NT.

RPC is normally the tricky one. All the end-point mapper does is negotiate use of a high-numbered port. Your firewall would need to be able to inspect RPC traffic to open appropriate pin-holes, if it cannot inspect RPC you'll have to open up the entire ephemeral range.

1b: Agreed, it often requires a fair bit of analysis to ensure you capture everything. ADMT will help with a lot, but perhaps not everything.

DNS for the trusts:

All you need is for each domain to be able to resolve names in the other. This can be achieved using Conditional Forwarding, Stub Zones or Zone Transfer.

The note about NAT is imperative here, if you don't NAT this is no real problem, if you do name resolution is a significant hurdle.

Chris
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question