What is the best way to consolidate two win2k8 R2 forests?

Hello Experts
I’ve inherited a situation in which two sister companies have increasingly grown closer together. At the start the two companies were completely separate from each other, however both companies now share the same Accounting, HR, Marketing, Sales, Customer Service, IT, Software Development, etc. Each company has its own domain in its own forest. The band-aid to get us through was creating a two-way trust between the domains and while that works for sharing resources it’s growing ever more time consuming to maintain and will only get worse the larger the companies get. All DC’s are fairly new hardware (2 years old) all running Win Server 2008 R2. All clients are Win7. There is no Exchange server.

Forest 1, Domain ABC = 390 users & computers, ~5 Servers
Forest 2, Domain XYZ = 270 users & computers, ~5 Servers

Here are my questions:
1.      Would you recommend migrating the users/computers/servers from domain XYZ into domain ABC managing it as a single domain or create a second domain in Forest 1 and then migrating users/computers/servers from domain XYZ to this new domain?
2.      What is the absolute safest way (least amount of risk and downtime) to migrate the users/computers/servers from domain XYZ to ABC? Have you used third-party software that’s made the transition easier or safer that you would recommend?
3.      What phases or steps would you break this into to provide a fallback plan should the migration of the servers prove problematic? Is it possible and would you recommend slowly migrating say 20 users/computers per week and leaving the servers until the very end?
EndTheFedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joshua GrantomSenior Systems AdministratorCommented:
We regularly perform migrations because of Merge & Acquisitions. Our process is to migrate all users and workstations first, then groups, then leave the servers for last.

My question is what other services do you run? Do you have Sharepoint or any other applications that rely on AD or LDAP?

Are these all hard network connections or do you have wireless clients as well? What about remote or vpn?
0
Steven WellsSystems AdministratorCommented:
Hi
It depends on what your naming of the domains is. I would personally keep one domain and migrate users and resources from one to the parent domain.

There really is no real best way. It could depend on the number of users. How many exchange domains, other resources etc,  you have and what your Fully Qualified domain name is. ( ie does it match your company name etc)

You could also build a new domain with a new domain name structure and create your trusts with old domains. and migrate everything. (longest most hardest route)

It really depends on how much work you are prepared to do as well as other factors such as domain name and resources in each.

You can use ADMT 3 tool to migrate user accounts and computer between domains. There are also other products from Dell (QUEST) that do migration too.  

The least amount of work would be to choose the domain with the most amount of user accounts as your primary domain as they are the hardest to migrate and plan for.

you can also migrate in batches to prove GPOs etc work too.

Good luck
0
EndTheFedAuthor Commented:
@Joshua
Luckily we have resisted running any AD integrated applications for the exact reason that we knew this merge would be coming soon. We don't run Exchange, Sharepoint, Lync, or DFS. We don't even use roaming profiles. The only LDAP integrated thing we have is RADIUS for WiFi and VPN authentication. Both just use groups in AD for access.

All clients can be and normally are hard-wired on location. No clients are permanently remote/VPN connected or offsite.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Joshua GrantomSenior Systems AdministratorCommented:
ADMT 3.2 is definitely a viable option for you.

I would read everything you can on ADMT and my personal opinion is to use a standalone server to host it.

You are lucky you have no integrated services, that will definitely minimize the work.

Here is a good place to start reading about ADMT and preparing the target and source domains.

http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
0
EndTheFedAuthor Commented:
@steven
No Exchange/Sharepoint or other AD apps. Domains and number of user/computer accounts are listed above, as you said the larger domain (ABC) will be the “host” forest, and the slightly smaller XYZ domain will be migrating. The domain name doesn’t matter for now, I’ve done successful domain renames in the past and can always do that in the future (to avoid the longest hardest route), the only goal for now is to get them consolidated in the best way possible. Both domains have completely unique FQDNs and are not single label domains.
0
EndTheFedAuthor Commented:
@Joshua
@Steven

You both recommended ADMT as the tool of choice so I'll probably go that route.
Can you please list the reasons you'd opt to migrate XYZ into ABC as a single domain as opposed to creating a new, second domain in the same forest as ABC and then migrating to the new domain?
Would you say it's the norm for sister companies to be setup as single forest single domain, as opposed to single forest two domains? Is there essentially no benefit to having them as separate domains within the same forest?
0
Steven WellsSystems AdministratorCommented:
It may come down to cost as well as admin complexity. You need to have more servers running as dcs to support more domains. You only need seperate root forests if you plan to add child domains in future. ADMT is a good tool and works well provided you set up correctly.
0
Joshua GrantomSenior Systems AdministratorCommented:
We used to have our domain split into 3 regional sub-domains and management of users,groups, permissions, gpos, etc became difficult so management decided to migrate all users into a single domain and use OU's to separate our locations. That may be the best for you as well. It works a lot easier that way.

Having 2 domains in the same forest will still cause you to have to implement a 2 way trust relationship even if they are in the same forest.
0
Steven WellsSystems AdministratorCommented:
There is also no benefit on having seperate domians unless needed to seperate security between staff.
0
EndTheFedAuthor Commented:
Glad to hear that consensus, I was hoping single domain with separate OU's was the way to go.

What about DNS? In addition to the transitive domain trusts between ABC and XYZ, I also have a Conditional Forwarder setup in DNS between the two. Does that stay throughout the migration or need to be modified during the process?

@Joshua
You said you've done several merger's. Do you have a basic outline of your process you'd be willing to share? I could just use it as a template and modify as needed after I finish reading through the ADMT guide.
0
Joshua GrantomSenior Systems AdministratorCommented:
I don't really have any generic templates, most of our documentation is company specific because of the massive size of our environment but I will see if I can find something that may be able to help
0
Steven WellsSystems AdministratorCommented:
You need to keep your DNS set up throughout the migration stage to support your users and applications running on both domains. Once all resources and users have been migrated you can collapse the trusts and then DNS.
0
Steven WellsSystems AdministratorCommented:
I have my last migration doc which I can clean and send to you. Just pm your email address
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EndTheFedAuthor Commented:
Thanks for those answers Joshua
Thanks for the migration doc Steven
Both were very helpful

For anyone else looking to do this, I recently found this site: http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
which is very similar to the step by step doc Steven had sent me.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.