Solved

AD upgrade/migration

Posted on 2014-03-19
1
215 Views
Last Modified: 2014-03-21
I am asking for some high-level AD design/migration assistance.  We have two small (<100 users) AD domains (on Server 2003) which are separated by a firewall.   Domain A is behind the firewall and Domain B is outside the firewall currently.  We will eventually be moving Domain B to be behind the firewall.   We want to upgrade to Server 2008 which will require new physical domain controllers as we cannot upgrade in place on this hardware.   We have come up with two options:

1)      Build a new domain controller with Server 2008 on new hardware, setup trust with Domain A and migrate Domain A objects to new domain.  Repeat for Domain B as it moves behind the firewall
a.      Will we be able to use a trust and ADMT work through a firewall?
b.      We see a benefit to be able to ‘clean up’ the domain structure by building a new domain – but it also would require more effort to build from scratch.

2)      Build a new domain controller with Server 2008 on new hardware in Domain A, setup trust with Domain B and migrate objects to domain A
a.       This leaves us with the old “messy” domain objects but we are experienced and comfortable with this process.

Also, any guidance with how to configure DNS for these trusts would be especially helpful.  Any advice or suggestions would be appreciated.  Thanks.
0
Comment
Question by:sepparker
1 Comment
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39941787
2a: This one first because it may well be the easiest path.

If there's nothing fundamentally broken with your domain then you could do just that. Ultimately you'll have to go through the same identification and re-organisation exercise whether you kill off the first domain or not.

The clear advantage of keeping the first domain is that you don't have to worry about ADMT rewriting profiles, or moving services, etc etc.

1a: If you use NAT on the firewall (between the two forests) it will be exceptionally difficult to get a trust working.

If there's no NAT, it's just a question of firewall rules.

Obviously allowing any IP protocol (and port) is the simplest rule. If it must be locked down you'll have to do a bit more digging.

To start you off:
 - LDAP (TCP/389)
 - Kerberos (TCP and UDP/88)
 - RPC end point mapper (TCP/135)
 - DNS (TCP and UDP 53, TCP for zone transfers)

You may need NetBIOS too, but it's not a hard requirement; it depends on your environment, we haven't truly needed it since Windows NT.

RPC is normally the tricky one. All the end-point mapper does is negotiate use of a high-numbered port. Your firewall would need to be able to inspect RPC traffic to open appropriate pin-holes, if it cannot inspect RPC you'll have to open up the entire ephemeral range.

1b: Agreed, it often requires a fair bit of analysis to ensure you capture everything. ADMT will help with a lot, but perhaps not everything.

DNS for the trusts:

All you need is for each domain to be able to resolve names in the other. This can be achieved using Conditional Forwarding, Stub Zones or Zone Transfer.

The note about NAT is imperative here, if you don't NAT this is no real problem, if you do name resolution is a significant hurdle.

Chris
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now