Solved

AD upgrade/migration

Posted on 2014-03-19
1
218 Views
Last Modified: 2014-03-21
I am asking for some high-level AD design/migration assistance.  We have two small (<100 users) AD domains (on Server 2003) which are separated by a firewall.   Domain A is behind the firewall and Domain B is outside the firewall currently.  We will eventually be moving Domain B to be behind the firewall.   We want to upgrade to Server 2008 which will require new physical domain controllers as we cannot upgrade in place on this hardware.   We have come up with two options:

1)      Build a new domain controller with Server 2008 on new hardware, setup trust with Domain A and migrate Domain A objects to new domain.  Repeat for Domain B as it moves behind the firewall
a.      Will we be able to use a trust and ADMT work through a firewall?
b.      We see a benefit to be able to ‘clean up’ the domain structure by building a new domain – but it also would require more effort to build from scratch.

2)      Build a new domain controller with Server 2008 on new hardware in Domain A, setup trust with Domain B and migrate objects to domain A
a.       This leaves us with the old “messy” domain objects but we are experienced and comfortable with this process.

Also, any guidance with how to configure DNS for these trusts would be especially helpful.  Any advice or suggestions would be appreciated.  Thanks.
0
Comment
Question by:sepparker
1 Comment
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39941787
2a: This one first because it may well be the easiest path.

If there's nothing fundamentally broken with your domain then you could do just that. Ultimately you'll have to go through the same identification and re-organisation exercise whether you kill off the first domain or not.

The clear advantage of keeping the first domain is that you don't have to worry about ADMT rewriting profiles, or moving services, etc etc.

1a: If you use NAT on the firewall (between the two forests) it will be exceptionally difficult to get a trust working.

If there's no NAT, it's just a question of firewall rules.

Obviously allowing any IP protocol (and port) is the simplest rule. If it must be locked down you'll have to do a bit more digging.

To start you off:
 - LDAP (TCP/389)
 - Kerberos (TCP and UDP/88)
 - RPC end point mapper (TCP/135)
 - DNS (TCP and UDP 53, TCP for zone transfers)

You may need NetBIOS too, but it's not a hard requirement; it depends on your environment, we haven't truly needed it since Windows NT.

RPC is normally the tricky one. All the end-point mapper does is negotiate use of a high-numbered port. Your firewall would need to be able to inspect RPC traffic to open appropriate pin-holes, if it cannot inspect RPC you'll have to open up the entire ephemeral range.

1b: Agreed, it often requires a fair bit of analysis to ensure you capture everything. ADMT will help with a lot, but perhaps not everything.

DNS for the trusts:

All you need is for each domain to be able to resolve names in the other. This can be achieved using Conditional Forwarding, Stub Zones or Zone Transfer.

The note about NAT is imperative here, if you don't NAT this is no real problem, if you do name resolution is a significant hurdle.

Chris
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question