Solved

What is the best way to consolidate two win2k8 R2 forests?

Posted on 2014-10-13
14
143 Views
Last Modified: 2014-10-20
Hello Experts
I’ve inherited a situation in which two sister companies have increasingly grown closer together. At the start the two companies were completely separate from each other, however both companies now share the same Accounting, HR, Marketing, Sales, Customer Service, IT, Software Development, etc. Each company has its own domain in its own forest. The band-aid to get us through was creating a two-way trust between the domains and while that works for sharing resources it’s growing ever more time consuming to maintain and will only get worse the larger the companies get. All DC’s are fairly new hardware (2 years old) all running Win Server 2008 R2. All clients are Win7. There is no Exchange server.

Forest 1, Domain ABC = 390 users & computers, ~5 Servers
Forest 2, Domain XYZ = 270 users & computers, ~5 Servers

Here are my questions:
1.      Would you recommend migrating the users/computers/servers from domain XYZ into domain ABC managing it as a single domain or create a second domain in Forest 1 and then migrating users/computers/servers from domain XYZ to this new domain?
2.      What is the absolute safest way (least amount of risk and downtime) to migrate the users/computers/servers from domain XYZ to ABC? Have you used third-party software that’s made the transition easier or safer that you would recommend?
3.      What phases or steps would you break this into to provide a fallback plan should the migration of the servers prove problematic? Is it possible and would you recommend slowly migrating say 20 users/computers per week and leaving the servers until the very end?
0
Comment
Question by:EndTheFed
  • 5
  • 5
  • 4
14 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378042
We regularly perform migrations because of Merge & Acquisitions. Our process is to migrate all users and workstations first, then groups, then leave the servers for last.

My question is what other services do you run? Do you have Sharepoint or any other applications that rely on AD or LDAP?

Are these all hard network connections or do you have wireless clients as well? What about remote or vpn?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378052
Hi
It depends on what your naming of the domains is. I would personally keep one domain and migrate users and resources from one to the parent domain.

There really is no real best way. It could depend on the number of users. How many exchange domains, other resources etc,  you have and what your Fully Qualified domain name is. ( ie does it match your company name etc)

You could also build a new domain with a new domain name structure and create your trusts with old domains. and migrate everything. (longest most hardest route)

It really depends on how much work you are prepared to do as well as other factors such as domain name and resources in each.

You can use ADMT 3 tool to migrate user accounts and computer between domains. There are also other products from Dell (QUEST) that do migration too.  

The least amount of work would be to choose the domain with the most amount of user accounts as your primary domain as they are the hardest to migrate and plan for.

you can also migrate in batches to prove GPOs etc work too.

Good luck
0
 

Author Comment

by:EndTheFed
ID: 40378133
@Joshua
Luckily we have resisted running any AD integrated applications for the exact reason that we knew this merge would be coming soon. We don't run Exchange, Sharepoint, Lync, or DFS. We don't even use roaming profiles. The only LDAP integrated thing we have is RADIUS for WiFi and VPN authentication. Both just use groups in AD for access.

All clients can be and normally are hard-wired on location. No clients are permanently remote/VPN connected or offsite.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378156
ADMT 3.2 is definitely a viable option for you.

I would read everything you can on ADMT and my personal opinion is to use a standalone server to host it.

You are lucky you have no integrated services, that will definitely minimize the work.

Here is a good place to start reading about ADMT and preparing the target and source domains.

http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
0
 

Author Comment

by:EndTheFed
ID: 40378169
@steven
No Exchange/Sharepoint or other AD apps. Domains and number of user/computer accounts are listed above, as you said the larger domain (ABC) will be the “host” forest, and the slightly smaller XYZ domain will be migrating. The domain name doesn’t matter for now, I’ve done successful domain renames in the past and can always do that in the future (to avoid the longest hardest route), the only goal for now is to get them consolidated in the best way possible. Both domains have completely unique FQDNs and are not single label domains.
0
 

Author Comment

by:EndTheFed
ID: 40378182
@Joshua
@Steven

You both recommended ADMT as the tool of choice so I'll probably go that route.
Can you please list the reasons you'd opt to migrate XYZ into ABC as a single domain as opposed to creating a new, second domain in the same forest as ABC and then migrating to the new domain?
Would you say it's the norm for sister companies to be setup as single forest single domain, as opposed to single forest two domains? Is there essentially no benefit to having them as separate domains within the same forest?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378193
It may come down to cost as well as admin complexity. You need to have more servers running as dcs to support more domains. You only need seperate root forests if you plan to add child domains in future. ADMT is a good tool and works well provided you set up correctly.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 150 total points
ID: 40378195
We used to have our domain split into 3 regional sub-domains and management of users,groups, permissions, gpos, etc became difficult so management decided to migrate all users into a single domain and use OU's to separate our locations. That may be the best for you as well. It works a lot easier that way.

Having 2 domains in the same forest will still cause you to have to implement a 2 way trust relationship even if they are in the same forest.
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378199
There is also no benefit on having seperate domians unless needed to seperate security between staff.
0
 

Author Comment

by:EndTheFed
ID: 40378245
Glad to hear that consensus, I was hoping single domain with separate OU's was the way to go.

What about DNS? In addition to the transitive domain trusts between ABC and XYZ, I also have a Conditional Forwarder setup in DNS between the two. Does that stay throughout the migration or need to be modified during the process?

@Joshua
You said you've done several merger's. Do you have a basic outline of your process you'd be willing to share? I could just use it as a template and modify as needed after I finish reading through the ADMT guide.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378307
I don't really have any generic templates, most of our documentation is company specific because of the massive size of our environment but I will see if I can find something that may be able to help
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378322
You need to keep your DNS set up throughout the migration stage to support your users and applications running on both domains. Once all resources and users have been migrated you can collapse the trusts and then DNS.
0
 
LVL 12

Accepted Solution

by:
Steven Wells earned 350 total points
ID: 40378359
I have my last migration doc which I can clean and send to you. Just pm your email address
0
 

Author Closing Comment

by:EndTheFed
ID: 40392085
Thanks for those answers Joshua
Thanks for the migration doc Steven
Both were very helpful

For anyone else looking to do this, I recently found this site: http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
which is very similar to the step by step doc Steven had sent me.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now