Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD upgrade/migration

Posted on 2014-03-19
1
Medium Priority
?
222 Views
Last Modified: 2014-03-21
I am asking for some high-level AD design/migration assistance.  We have two small (<100 users) AD domains (on Server 2003) which are separated by a firewall.   Domain A is behind the firewall and Domain B is outside the firewall currently.  We will eventually be moving Domain B to be behind the firewall.   We want to upgrade to Server 2008 which will require new physical domain controllers as we cannot upgrade in place on this hardware.   We have come up with two options:

1)      Build a new domain controller with Server 2008 on new hardware, setup trust with Domain A and migrate Domain A objects to new domain.  Repeat for Domain B as it moves behind the firewall
a.      Will we be able to use a trust and ADMT work through a firewall?
b.      We see a benefit to be able to ‘clean up’ the domain structure by building a new domain – but it also would require more effort to build from scratch.

2)      Build a new domain controller with Server 2008 on new hardware in Domain A, setup trust with Domain B and migrate objects to domain A
a.       This leaves us with the old “messy” domain objects but we are experienced and comfortable with this process.

Also, any guidance with how to configure DNS for these trusts would be especially helpful.  Any advice or suggestions would be appreciated.  Thanks.
0
Comment
Question by:sepparker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 39941787
2a: This one first because it may well be the easiest path.

If there's nothing fundamentally broken with your domain then you could do just that. Ultimately you'll have to go through the same identification and re-organisation exercise whether you kill off the first domain or not.

The clear advantage of keeping the first domain is that you don't have to worry about ADMT rewriting profiles, or moving services, etc etc.

1a: If you use NAT on the firewall (between the two forests) it will be exceptionally difficult to get a trust working.

If there's no NAT, it's just a question of firewall rules.

Obviously allowing any IP protocol (and port) is the simplest rule. If it must be locked down you'll have to do a bit more digging.

To start you off:
 - LDAP (TCP/389)
 - Kerberos (TCP and UDP/88)
 - RPC end point mapper (TCP/135)
 - DNS (TCP and UDP 53, TCP for zone transfers)

You may need NetBIOS too, but it's not a hard requirement; it depends on your environment, we haven't truly needed it since Windows NT.

RPC is normally the tricky one. All the end-point mapper does is negotiate use of a high-numbered port. Your firewall would need to be able to inspect RPC traffic to open appropriate pin-holes, if it cannot inspect RPC you'll have to open up the entire ephemeral range.

1b: Agreed, it often requires a fair bit of analysis to ensure you capture everything. ADMT will help with a lot, but perhaps not everything.

DNS for the trusts:

All you need is for each domain to be able to resolve names in the other. This can be achieved using Conditional Forwarding, Stub Zones or Zone Transfer.

The note about NAT is imperative here, if you don't NAT this is no real problem, if you do name resolution is a significant hurdle.

Chris
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question