[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


.local Active Directory Domain Rename - IntRAforest or IntERforest Migration

Posted on 2014-08-21
Medium Priority
Last Modified: 2015-06-17
I've currently have a Native 2008 flat - Single AD Domain, Single Forest setup. We have approximately 20 locations with 1000 users with approximately 85-90% of the workforce being remote (i.e. their workstations don't see the corporate network more than 1 or twice a year). The domain is a .local domain (company.local). We have both Exchange 2010 and Lync 2010 on premise. AD servers are mostly 2008 R2 machines with a couple of 2008 machines. Workstations are all Windows 7. There are 10 or so SMTP / UPN / SIP Domains.

My understanding is that Public SSL Providers will not issue SSL certs for .local domains beginning in 2015. We're currently utilize Lync 2010 which is pretty reliant on SSL Certs. We've also just subscribed to Office365 and looking to kill our on premise Exchange and move to the cloud. Since we have exchange in the Forest, a Domain Rename is not an option. I'm thinking I need to do an INTER-FOREST migration to a new Single Forest/Single Domain to get rid of the current .Local domain. I'm also thinking that this needs to be done prior to our move to Office365. I'm planning on using Dirsync and ADFS with Office365.

I was planning on using ADMT to migrate to the new forest, stand up a temporary Exchange in the new forest, migrate users to the temporary exchange and then migrate a 2nd time to Office365. There would need to be a coexistence period between the new and old forest so that accounts from either forest could access each others resources during the migration which I'm thinking will take a few months. I was going to take this time and start from scratch with everything in the new domain (new SharePoint, Exchange, SQL, etc.) to make sure it was done right. Only user accounts and groups would be migrated over.

However, the INTRA-Forest scenario just popped into my mind. I would create a new child domain (company.com) in the EXISTING AD Forest (company.local), migrate the stuff over to the new child domain. This would leave a .local root domain, but the child AD domain where everything is would be a "real" .com (or .net what ever) domain. This seems to be a lot simpler at 1st glance than a INTRA-Forest migration. Can someone give me some insight to this? Any issues with a empty .local root domain?
Question by:Matt Walker
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 40278271
I think You need to create new tree root domain (domain.com hopefully - not child domain) in existing .local forest, it will help what you are trying to do
This will be bit simple so that you can install new mailbox servers in tree root domain within same exchange organization and then you can move mailboxes from .local domain to tree root domain
This will save you from creating new forest and moving everything to new forest

The option to create new AD forest is always there, with ADMT and with exchange scripts (preparemoverequest.ps1) you can migrate mailboxes to new AD forest
This process is bit complicated
U need to take care of gal sync across both forests \ exchange orgs till the time of co-existence period,
Also you need to maintain something called shared name space (Same SMTP name space in existing forest and new forest) till co-existence period
U need to move your MX to new forest and so on.
LVL 12

Expert Comment

ID: 40301038
Personally I would not go through the work of migrating off of the current namespace when you plan to move to O365 anyway.

Public certificate authorities are already denying requests which include invalid Top Level Domains (like .local) as it has to do with the expiration date, not the request date.  See this blog article for more details:

I would simply deploy an internal Enterprise Windows CA (if you do not already have one) and assign private certificates to the internal Lync server roles, saving the public certs for external resources only (your Edge and Reverse Proxy servers).

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question