Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Join two separate domains together with new Separate DC on a new network

Posted on 2015-02-17
Last Modified: 2015-02-20
I am needing a little advice. We have been acquired by another company and we have a few networking, domain challenges in front of us.  They are planning o acquiring more companies besides ours, and we will have other networks who will be joining ours.  Currently we have the largest of the two networks.  We have a domain controller compA and two other dc's in satellite offices in other states via point to point vpn connections.  The company that acquired us CompB has one DC.  We are thinking we may setup a DC in Azure and have that the main DC with all the roles on that DC, and call that DC a separate local domain name other than what we have.  domainA, domainB, and the new domain will be DomainC.  My question is:  how does this work?  Will all the users be able to log into domain A, B, or C ?  Do you just install the new DC and trust the other two domains, and eventually migrate the PC's to the new DC, and then at some point demote and promote back the other DC's to match the new domain name?  Not sure on the best way to do this, but do not that we want a new local domain so that eventually we all login to the same domain.  We have 150 users in different cites and they have about 50 users locally and 20 in different cites who terminal service in.
Question by:micromark1
  • 3
  • 2
  • 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 333 total points
ID: 40615556
There are a few things to consider...
- You can create 2 way forest trusts between each of the domains. This will allow domainA to login to domainB and also use domainB's resources. This is a quick and easy way to get the domains communicating.

- downfall for the above is that the administrative effort will be much greater as you have to individually manage all of the policies/machines/groups separately.

- Good thing about the above scenario is that you can break the trust at any time and the domains stay completely separate and continue operating like they did before.

- Second option you have is merging all of the domains into one using the ADMT Tools. This takes more work upfront but requires less administrative effort once all of the objects have been migrated. Best way to approach this scenario would be to migrate the smaller domains (less objects) into the domain with the larger amount of objects.

ADMT download - http://blogs.technet.com/b/activedirectoryua/archive/2010/06/25/active-directory-migration-tool-v3-2-admt-and-migration-guide-released.aspx

ADMT Migration Guide - http://www.microsoft.com/en-ca/download/details.aspx?id=19188

LVL 18

Assisted Solution

Akinsd earned 167 total points
ID: 40615637
You'll also need to add DNS suffixes for both domains for cross references, otherwise, you'll need fqdn to connect accross domain
Eg a computer1 in domain A wants to access computer2 in domain B.
With the DNS suffixes in forward lookup zones configured you can just type computerB and the DNS server will forward the traffic

Author Comment

ID: 40619352
Can you do this with as many domains as you want? Or is there a limit?
If I made a DOMAIN C on a DC in an Azure cloud and we wanted that domain to be the "master domain"  ,I'm sure there is a better term than that.  But on this DC we would want to make it where we could trust other domains that might join us in the future, and if needed their network could eventually join that domain where they would physically be logging into it?  For instance the network we are moving in with has a domain name of "workgroup" and I'm sure we are going to want to eventually change that local domain name, and we may eventually make it where our local domain name is the same as domain C as well.  We would just want domain C to have the authority where other domains we may trust would not be able to login to it or change any group policies etc.   I guess having trusts setup at least lets their local network people still have access to their part of the network until you want to either bring them into the domain C, or let them stay on their own domain, but you would just have separate group policies, logins, etc.      Would any of the group policies you set in Domain C be able to replicate down through the trusts if you left them that way?     Sorry for all the questions.  I am just use to one domain networks on a much smaller scale and now I'm in this position and have to get my P's and Qs down before I do anything.
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

LVL 53

Accepted Solution

Will Szymkowski earned 333 total points
ID: 40619377
If I made a DOMAIN C on a DC in an Azure cloud and we wanted that domain to be the "master domain"
When you have Forest Root Domains connected there is no master domain. They are all individual domains and they have to all be managed separately (GPOs/Users/Groups/other AD Objects). They are completely separate Forest Root Domains. Yes you can create GPO's in each of the domains but they do not propagate down to the other domains.

I think you might have this confused with Forest Root Domains and Child Domains. Where you can push Site Level Policies to child domains (but this is not recommended).

Having multiple domains with trusts is exactly what it is, and nothing more. They still allow act as their own domain respectively. You are just allowing authentication/communication with another Forest Root Domain.


Author Comment

ID: 40620038
One last comment. and just to be clear on something. You can have multiple trusts going on right?  In theory you could have 5 or even 10 domains trusting everyone or just some domains trusting a few?  And in any given time if you wanted, you could join some networks to your "main" domain as long as their was connectivity and you just demoted their DC at some point.

Author Comment

ID: 40620204
when you have a two way trust can a workstation log into either domain?
LVL 18

Expert Comment

ID: 40620746
The workstation will be authenticated by the domain they belong to

I think what you meant is can a user log into either domain from any computer and the answer to that is Yes
ComputerOne belongs to Domain1
UserA belongs to Domain1
UserB belongs to Domain2
UserA will log on to ComputerOne as Domain1\UserA
UserB will log on to ComputerOne as Domain2\UserB.

You should however plan to consolidate to one domain.
The ideal way to do this is to create a One-Way trust
Domain1 trusts Domain2
You can then migrate all the users with their passwords from Domain1 to Domain2
Then migrate all the computers in Domain1 to Domain2.
This ensures that only users in Domain2 can log onto the computers
Create new users in Domain2

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question