Solved

Active Directory trust advantage and disadvantage when setting up trust for more than 15 new location ?

Posted on 2015-02-05
9
670 Views
Last Modified: 2015-02-07
Hi people,

I got some question regarding Active Directory trust model and planning for my current company situation.

At the moment I only have one single forest AD domain (let say ParentCompany.com) with the Domain and Forest functionality Windows Server 2003. The main domain controller FSMO role holder is in the Data Center spread across three different VMs running on Windows Server 2008 R2.

Domain: ParentCompany.com
Head Office: City A, Location A
Data Center: City A. Location B

Recently, the parent company acquiring some other smaller company in multiple different geographical locations. But this company is running its own Active Directory domain one per city or office like the following:

Domain: NewCompany1.com
Office: City A, Location A

Domain: NewCompany2.com
Office: City B, Location B

Domain: NewCompany3.com
Office: City C, Location C
…..
Domain: NewCompany13.com
Office: City X, Location X

So in this case what are the benefits or advantage in creating Active Directory trust for each of the new Company AD above to the main head office ParentCompany.com ?

If you have any other good suggestion in creating the AD setup than above, please share it here.

Thanks
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 40592824
Biggest issue having trusts in place rather than migrating them all to the same domain will be the management side of it. You will need to manage everything independently. For example Group Policies, Maintenance, Monitoring, Backups, etc.

Having them under one domain will make management much easier and it will centralize everything.

You also have to take into consideration for other active directory aware applications like exchange server which will also need to be managed independently.

Will.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40592867
many Thanks will,

So yes, in this case what's the side effect to the user in the newly acquired company when the Active Directory domain is deleted and the ParentCompany.com domain is introduced to all of the branch office location ?

because in the current situation, in every branch office, there is one domain controller in each of the building. Consolidating it into the existing parentcompany.com domain controller in the Data Center: City A. Location B wouldthat be any side effect ? apart from I need to recreate all of their user account and exchange mailboxes ?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40592888
You can use the Active Directory Migration Tool to migrate AD objects to your domain. Depending on the latency at the remote offices you could have the users authenticate back to your DC's in the main office.

The only time you really require a DC in a remote location is if you will be using Exchange / slow wan links. Personally if you can afford to have a DC in the location it would be beneficial because if the wan goes down then no one can authenticate.

If you have a DC at each site users will still be able to access local file servers printers etc.

Also depending on how you are going to set up the DC placement you will also need to configure sites and services subnets and links for each site. Even if you have a site with no DC's you will have to associate your IP subnet of the remote site into the AD site you want authentication to take place.

ADMT download
http://www.microsoft.com/en-ca/download/details.aspx?id=19188

ADMT step by step

http://social.technet.microsoft.com/wiki/contents/articles/11996.interforest-migration-with-admt-3-2-part-1.aspx

Will.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40592926
wow, I never knew that tool exist to migrate the AD user account from one AD domain to another one.

so Do I still need to create the trust in order to copy / transfer the user account to my domain in a certain OU ?

So in this case the last thing to do for all of the server and workstation is to exit the old AD domain (NewCompany1.com), reboot and then join the new domain (ParentCompany.com) after the AD user account is deleted.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40593379
How big the acquired companies?

I mean no of users, computers and servers approximately?

Are they using their own email solution?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40593391
Mahesh, the company got around 50 users up to 100 in one domain.

Computers around 20 and 5 servers including domain controllers in each of the branch office.

The email is not a problem because I have already deployed terminal server to my domain to access the exchange server.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 300 total points
ID: 40594307
So you mean to say there are 20 computers per company with 100 users and 5 servers including domain controllers?

U can use ADMT, but ADMT cannot not take care of Email solution migration.
U need to grant migrated users new mailbox in your exchange and then restore there original mailbox data in the form of PST

You should setup domain trust with one company at a time, migrate users, computers with ADMT, migrate file servers and after all server migration get finished, decommission domain controller because domain controllers in source domain cannot be migrated, you must decommission it.
Ensure that source and target domain functional level is 2003 minimum

User migration and group migration can be happened over slow WAN link as well and its painless activity, however migration of computers over WAN link will required good network bandwidth.
If you have 2 to 4 Mbps network bandwidth between sites, tool will migrate computers without any issues
However if link speed is not good (1 Mbps or 512 Kbps) probably you should manually migrate computers from source domain to target domain one by one to avoid failures
Because ADMT will push agent on client computers and this agent would migrate computers

Lastly only for 20 computers I would prefer to let authenticate machines over WAN link to my HO location

Probably you can hire AD consultant for migrating one domain to get feel how it works and then you can own other domains
OR
Probably you could setup test lab with TWO forests to play with and do cross forest migration with ADMT to get better understanding and feel
There are lot things involved in ADMT migration right from setting up name resolution, building trust, enabling SID History, maintaining co-existence, migrating groups, users, computers, servers and so on.
Also if exchange server is there in source and target, then it complicate the migration because ADMT cannot migrate Exchange attribute and in that case whole migration process got changed in flavor of MS Exchange
Check below article for more information
http://www.experts-exchange.com/Networking/Windows_Networking/Q_28338438.html
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40594874
Many thanks Mahesh for the detailed explanation.

In this case yes, there is more advantage to do the migration from the smaller company AD domain to the parent company AD domain. So in order to use ADMT the domain must be trusted two ways first so the migration of the User object and also the computer object can be done, is that true ?
Example:
NewCompany1\user1 will become ParentCompany\user1 and so on .

What about the server ? Does the domain membership of the server also gets migrated and rebooted automatically as well ?

There is no exchange server in the new company AD domain so no need to worry about the exchange server mailbox migration.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 300 total points
ID: 40595345
ADMT works on domain trust In case of inter forest
If you have intra forest migration, trust is already in place

Migration Sequence:
Groups
Users
Computers
Servers

See attached document I have build long back ago for customer as prerequisites for domain migration
Spare your half and hour and go through document
I have mentioned all prerequisites, limitations, migration sequence and so on.

Computers and servers are migrated in same way, only you migrate computer 1st and lastly you migrate servers
Domain-Migration-Prerequisites.pdf
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question