.local Active Directory Domain Rename - IntRAforest or IntERforest Migration

Posted on 2014-08-21
Last Modified: 2015-06-17
I've currently have a Native 2008 flat - Single AD Domain, Single Forest setup. We have approximately 20 locations with 1000 users with approximately 85-90% of the workforce being remote (i.e. their workstations don't see the corporate network more than 1 or twice a year). The domain is a .local domain (company.local). We have both Exchange 2010 and Lync 2010 on premise. AD servers are mostly 2008 R2 machines with a couple of 2008 machines. Workstations are all Windows 7. There are 10 or so SMTP / UPN / SIP Domains.

My understanding is that Public SSL Providers will not issue SSL certs for .local domains beginning in 2015. We're currently utilize Lync 2010 which is pretty reliant on SSL Certs. We've also just subscribed to Office365 and looking to kill our on premise Exchange and move to the cloud. Since we have exchange in the Forest, a Domain Rename is not an option. I'm thinking I need to do an INTER-FOREST migration to a new Single Forest/Single Domain to get rid of the current .Local domain. I'm also thinking that this needs to be done prior to our move to Office365. I'm planning on using Dirsync and ADFS with Office365.

I was planning on using ADMT to migrate to the new forest, stand up a temporary Exchange in the new forest, migrate users to the temporary exchange and then migrate a 2nd time to Office365. There would need to be a coexistence period between the new and old forest so that accounts from either forest could access each others resources during the migration which I'm thinking will take a few months. I was going to take this time and start from scratch with everything in the new domain (new SharePoint, Exchange, SQL, etc.) to make sure it was done right. Only user accounts and groups would be migrated over.

However, the INTRA-Forest scenario just popped into my mind. I would create a new child domain ( in the EXISTING AD Forest (company.local), migrate the stuff over to the new child domain. This would leave a .local root domain, but the child AD domain where everything is would be a "real" .com (or .net what ever) domain. This seems to be a lot simpler at 1st glance than a INTRA-Forest migration. Can someone give me some insight to this? Any issues with a empty .local root domain?
Question by:Matt Walker
    LVL 34

    Accepted Solution

    I think You need to create new tree root domain ( hopefully - not child domain) in existing .local forest, it will help what you are trying to do
    This will be bit simple so that you can install new mailbox servers in tree root domain within same exchange organization and then you can move mailboxes from .local domain to tree root domain
    This will save you from creating new forest and moving everything to new forest

    The option to create new AD forest is always there, with ADMT and with exchange scripts (preparemoverequest.ps1) you can migrate mailboxes to new AD forest
    This process is bit complicated
    U need to take care of gal sync across both forests \ exchange orgs till the time of co-existence period,
    Also you need to maintain something called shared name space (Same SMTP name space in existing forest and new forest) till co-existence period
    U need to move your MX to new forest and so on.
    LVL 12

    Expert Comment

    Personally I would not go through the work of migrating off of the current namespace when you plan to move to O365 anyway.

    Public certificate authorities are already denying requests which include invalid Top Level Domains (like .local) as it has to do with the expiration date, not the request date.  See this blog article for more details:

    I would simply deploy an internal Enterprise Windows CA (if you do not already have one) and assign private certificates to the internal Lync server roles, saving the public certs for external resources only (your Edge and Reverse Proxy servers).

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Wish Marketing would stop bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now