Link to home
Start Free TrialLog in
Avatar of pramod1
pramod1Flag for United States of America

asked on

ACTIVE DIRECTORY

I have a domain domain.com (existing domain)which is DC also I want to set up another DC as domain1.com(which is new domain) on same network

I need to sync users from domain .com to domain1.com which I think can be done through ADMT and PES .

But for constant sync between both domains , and if there is trust relationship between both the domains can inter site replication wont work?

If yes what kind of trust relationship should I build
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Yes you can use ADMT for object migration and PES for password sync

For ADMT to work you need a two-way trust without SID filtering. SID filtering will prevent SID history from working.
I prefer to use conditional forwarders within DNS to allow cross domain lookups.

As for PES, it monitors password changes on domain and syncs it to the other domain.

None of these are a constant sync
Avatar of pramod1

ASKER

so you mean ISTG wont work between the domains
Avatar of pramod1

ASKER

I need to create user in domain.com to auto sync with domain1.com
You need to trigger sync either on schedule on after a user creation. ADMT is meant for migrations off one domain, onto another for example domain consolidations
Avatar of pramod1

ASKER

You need to trigger sync - how ?
Avatar of pramod1

ASKER

cant I manually go ad site and services and do manual replicate
If you are creating new AD forest, then I don't see any issues with replication
Both forests will have their own AD sites within their own boundaries and nothing will break
You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)

However if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted
There is no negative impact, new DC from tree domain (domain1.com) will get added to existing AD site of domain.com and it will take active part in replicating configuration and schema partitions back and forth
Also in that case transitive trust will be there by default and importantly note that there would be user movement from domain.com to domain1.com through ADMT because you are doing intra forest migration
Check this question:
https://www.experts-exchange.com/questions/28982077/ADMT-Intra-Forest-migration-questions.html

Mahesh.
Avatar of pramod1

ASKER

this will be new AD FOREST what I am asking is if I create user in domain.com can it be replicated through ISTG to domain1.com
What you are looking for is not possible out of the box

because both forests directory partitions are different and cannot replicate between each other

You need FIM / MIM which can sync / provision users from one forest to another over forest trust

Mahesh.
Avatar of pramod1

ASKER

so replication works between same domains?
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pramod1

ASKER

I accepted your solution. but I am kind of confused with your remark.

“If you are creating new AD forest, then I don't see any issues with replication
 Both forests will have their own AD sites within their own boundaries and nothing will break
 You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)” – this sentence confused me.- so no auto replication as both domains are in different forest.-am I correct
“if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted”- this means all AD partitions except domain partition will replicate between domains in same forest -am I correct?
I want to check whether domain1.com is added as separate forest or just as separate domain in same forest
 
How should I check
Avatar of pramod1

ASKER

thank you Mahesh , but then again I am back to square 1. if domains are in separate forests then no replication and if multiple domains are in same forest then domain partition wont replicate? which I want users from domain.com to domain1.com

so I have to do manually through ADMT , I have no choice.
if users in different forest, you can use FIM / MIM to replicate users with continuous sync or you can use ADMT which will migrate (Copy) users from source to target domain

If users are part of same forest in multiple domains, ADMT cannot copy the users, ADMT can only move users from source to target domain in same forest, but still here also you can provision and sync users with FIM / MIM - FIM / MIM is nothing but Microsoft identity manager which can provision / sync accounts between domains
Avatar of pramod1

ASKER

last question Mahesh,

so in different forest scenario, admt will copy user objects and in different domains in same forest ADMT will move the objects

so what is diiferent?
So, in case of inter forest migration, source account and target account both are available for use
User can use both accounts in source and target forests respectively
In short source services will not be impacted by migration

In domains between same forest, once account moved from source to target, source services / resources cannot be accessed with source account because it is no longer available in source after movement
Ex:
In source domain A, userA used to logon on computerA as domainA\userA
Now you moved userA to domain B, now if userA want to logon to computerA which is in domain A, he need to use domainB\userA
This is just example, you can get Idea from this

Finally its depends on your scenario whether you need to move accounts between same forest or you need to create new forest and migrate (copy) accounts across forests
If you have confusion here, then its good time to hire AD architect which can design your AD topology

Mahesh.
Avatar of pramod1

ASKER

thanks that helped