Solved

What is the best way to consolidate two win2k8 R2 forests?

Posted on 2014-10-13
14
146 Views
Last Modified: 2014-10-20
Hello Experts
I’ve inherited a situation in which two sister companies have increasingly grown closer together. At the start the two companies were completely separate from each other, however both companies now share the same Accounting, HR, Marketing, Sales, Customer Service, IT, Software Development, etc. Each company has its own domain in its own forest. The band-aid to get us through was creating a two-way trust between the domains and while that works for sharing resources it’s growing ever more time consuming to maintain and will only get worse the larger the companies get. All DC’s are fairly new hardware (2 years old) all running Win Server 2008 R2. All clients are Win7. There is no Exchange server.

Forest 1, Domain ABC = 390 users & computers, ~5 Servers
Forest 2, Domain XYZ = 270 users & computers, ~5 Servers

Here are my questions:
1.      Would you recommend migrating the users/computers/servers from domain XYZ into domain ABC managing it as a single domain or create a second domain in Forest 1 and then migrating users/computers/servers from domain XYZ to this new domain?
2.      What is the absolute safest way (least amount of risk and downtime) to migrate the users/computers/servers from domain XYZ to ABC? Have you used third-party software that’s made the transition easier or safer that you would recommend?
3.      What phases or steps would you break this into to provide a fallback plan should the migration of the servers prove problematic? Is it possible and would you recommend slowly migrating say 20 users/computers per week and leaving the servers until the very end?
0
Comment
Question by:EndTheFed
  • 5
  • 5
  • 4
14 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378042
We regularly perform migrations because of Merge & Acquisitions. Our process is to migrate all users and workstations first, then groups, then leave the servers for last.

My question is what other services do you run? Do you have Sharepoint or any other applications that rely on AD or LDAP?

Are these all hard network connections or do you have wireless clients as well? What about remote or vpn?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378052
Hi
It depends on what your naming of the domains is. I would personally keep one domain and migrate users and resources from one to the parent domain.

There really is no real best way. It could depend on the number of users. How many exchange domains, other resources etc,  you have and what your Fully Qualified domain name is. ( ie does it match your company name etc)

You could also build a new domain with a new domain name structure and create your trusts with old domains. and migrate everything. (longest most hardest route)

It really depends on how much work you are prepared to do as well as other factors such as domain name and resources in each.

You can use ADMT 3 tool to migrate user accounts and computer between domains. There are also other products from Dell (QUEST) that do migration too.  

The least amount of work would be to choose the domain with the most amount of user accounts as your primary domain as they are the hardest to migrate and plan for.

you can also migrate in batches to prove GPOs etc work too.

Good luck
0
 

Author Comment

by:EndTheFed
ID: 40378133
@Joshua
Luckily we have resisted running any AD integrated applications for the exact reason that we knew this merge would be coming soon. We don't run Exchange, Sharepoint, Lync, or DFS. We don't even use roaming profiles. The only LDAP integrated thing we have is RADIUS for WiFi and VPN authentication. Both just use groups in AD for access.

All clients can be and normally are hard-wired on location. No clients are permanently remote/VPN connected or offsite.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378156
ADMT 3.2 is definitely a viable option for you.

I would read everything you can on ADMT and my personal opinion is to use a standalone server to host it.

You are lucky you have no integrated services, that will definitely minimize the work.

Here is a good place to start reading about ADMT and preparing the target and source domains.

http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
0
 

Author Comment

by:EndTheFed
ID: 40378169
@steven
No Exchange/Sharepoint or other AD apps. Domains and number of user/computer accounts are listed above, as you said the larger domain (ABC) will be the “host” forest, and the slightly smaller XYZ domain will be migrating. The domain name doesn’t matter for now, I’ve done successful domain renames in the past and can always do that in the future (to avoid the longest hardest route), the only goal for now is to get them consolidated in the best way possible. Both domains have completely unique FQDNs and are not single label domains.
0
 

Author Comment

by:EndTheFed
ID: 40378182
@Joshua
@Steven

You both recommended ADMT as the tool of choice so I'll probably go that route.
Can you please list the reasons you'd opt to migrate XYZ into ABC as a single domain as opposed to creating a new, second domain in the same forest as ABC and then migrating to the new domain?
Would you say it's the norm for sister companies to be setup as single forest single domain, as opposed to single forest two domains? Is there essentially no benefit to having them as separate domains within the same forest?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378193
It may come down to cost as well as admin complexity. You need to have more servers running as dcs to support more domains. You only need seperate root forests if you plan to add child domains in future. ADMT is a good tool and works well provided you set up correctly.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Assisted Solution

by:Joshua Grantom
Joshua Grantom earned 150 total points
ID: 40378195
We used to have our domain split into 3 regional sub-domains and management of users,groups, permissions, gpos, etc became difficult so management decided to migrate all users into a single domain and use OU's to separate our locations. That may be the best for you as well. It works a lot easier that way.

Having 2 domains in the same forest will still cause you to have to implement a 2 way trust relationship even if they are in the same forest.
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378199
There is also no benefit on having seperate domians unless needed to seperate security between staff.
0
 

Author Comment

by:EndTheFed
ID: 40378245
Glad to hear that consensus, I was hoping single domain with separate OU's was the way to go.

What about DNS? In addition to the transitive domain trusts between ABC and XYZ, I also have a Conditional Forwarder setup in DNS between the two. Does that stay throughout the migration or need to be modified during the process?

@Joshua
You said you've done several merger's. Do you have a basic outline of your process you'd be willing to share? I could just use it as a template and modify as needed after I finish reading through the ADMT guide.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40378307
I don't really have any generic templates, most of our documentation is company specific because of the massive size of our environment but I will see if I can find something that may be able to help
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40378322
You need to keep your DNS set up throughout the migration stage to support your users and applications running on both domains. Once all resources and users have been migrated you can collapse the trusts and then DNS.
0
 
LVL 12

Accepted Solution

by:
Steven Wells earned 350 total points
ID: 40378359
I have my last migration doc which I can clean and send to you. Just pm your email address
0
 

Author Closing Comment

by:EndTheFed
ID: 40392085
Thanks for those answers Joshua
Thanks for the migration doc Steven
Both were very helpful

For anyone else looking to do this, I recently found this site: http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
which is very similar to the step by step doc Steven had sent me.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now