.local Active Directory Domain Rename - IntRAforest or IntERforest Migration

I've currently have a Native 2008 flat - Single AD Domain, Single Forest setup. We have approximately 20 locations with 1000 users with approximately 85-90% of the workforce being remote (i.e. their workstations don't see the corporate network more than 1 or twice a year). The domain is a .local domain (company.local). We have both Exchange 2010 and Lync 2010 on premise. AD servers are mostly 2008 R2 machines with a couple of 2008 machines. Workstations are all Windows 7. There are 10 or so SMTP / UPN / SIP Domains.

My understanding is that Public SSL Providers will not issue SSL certs for .local domains beginning in 2015. We're currently utilize Lync 2010 which is pretty reliant on SSL Certs. We've also just subscribed to Office365 and looking to kill our on premise Exchange and move to the cloud. Since we have exchange in the Forest, a Domain Rename is not an option. I'm thinking I need to do an INTER-FOREST migration to a new Single Forest/Single Domain to get rid of the current .Local domain. I'm also thinking that this needs to be done prior to our move to Office365. I'm planning on using Dirsync and ADFS with Office365.

I was planning on using ADMT to migrate to the new forest, stand up a temporary Exchange in the new forest, migrate users to the temporary exchange and then migrate a 2nd time to Office365. There would need to be a coexistence period between the new and old forest so that accounts from either forest could access each others resources during the migration which I'm thinking will take a few months. I was going to take this time and start from scratch with everything in the new domain (new SharePoint, Exchange, SQL, etc.) to make sure it was done right. Only user accounts and groups would be migrated over.

However, the INTRA-Forest scenario just popped into my mind. I would create a new child domain (company.com) in the EXISTING AD Forest (company.local), migrate the stuff over to the new child domain. This would leave a .local root domain, but the child AD domain where everything is would be a "real" .com (or .net what ever) domain. This seems to be a lot simpler at 1st glance than a INTRA-Forest migration. Can someone give me some insight to this? Any issues with a empty .local root domain?
Matt WalkerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think You need to create new tree root domain (domain.com hopefully - not child domain) in existing .local forest, it will help what you are trying to do
This will be bit simple so that you can install new mailbox servers in tree root domain within same exchange organization and then you can move mailboxes from .local domain to tree root domain
This will save you from creating new forest and moving everything to new forest

The option to create new AD forest is always there, with ADMT and with exchange scripts (preparemoverequest.ps1) you can migrate mailboxes to new AD forest
This process is bit complicated
U need to take care of gal sync across both forests \ exchange orgs till the time of co-existence period,
Also you need to maintain something called shared name space (Same SMTP name space in existing forest and new forest) till co-existence period
U need to move your MX to new forest and so on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Personally I would not go through the work of migrating off of the current namespace when you plan to move to O365 anyway.

Public certificate authorities are already denying requests which include invalid Top Level Domains (like .local) as it has to do with the expiration date, not the request date.  See this blog article for more details:

I would simply deploy an internal Enterprise Windows CA (if you do not already have one) and assign private certificates to the internal Lync server roles, saving the public certs for external resources only (your Edge and Reverse Proxy servers).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.