pramod1
asked on
ACTIVE DIRECTORY
I have a domain domain.com (existing domain)which is DC also I want to set up another DC as domain1.com(which is new domain) on same network
I need to sync users from domain .com to domain1.com which I think can be done through ADMT and PES .
But for constant sync between both domains , and if there is trust relationship between both the domains can inter site replication wont work?
If yes what kind of trust relationship should I build
I need to sync users from domain .com to domain1.com which I think can be done through ADMT and PES .
But for constant sync between both domains , and if there is trust relationship between both the domains can inter site replication wont work?
If yes what kind of trust relationship should I build
ASKER
so you mean ISTG wont work between the domains
ASKER
I need to create user in domain.com to auto sync with domain1.com
You need to trigger sync either on schedule on after a user creation. ADMT is meant for migrations off one domain, onto another for example domain consolidations
ASKER
You need to trigger sync - how ?
ASKER
cant I manually go ad site and services and do manual replicate
If you are creating new AD forest, then I don't see any issues with replication
Both forests will have their own AD sites within their own boundaries and nothing will break
You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)
However if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted
There is no negative impact, new DC from tree domain (domain1.com) will get added to existing AD site of domain.com and it will take active part in replicating configuration and schema partitions back and forth
Also in that case transitive trust will be there by default and importantly note that there would be user movement from domain.com to domain1.com through ADMT because you are doing intra forest migration
Check this question:
https://www.experts-exchange.com/questions/28982077/ADMT-Intra-Forest-migration-questions.html
Mahesh.
Both forests will have their own AD sites within their own boundaries and nothing will break
You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)
However if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted
There is no negative impact, new DC from tree domain (domain1.com) will get added to existing AD site of domain.com and it will take active part in replicating configuration and schema partitions back and forth
Also in that case transitive trust will be there by default and importantly note that there would be user movement from domain.com to domain1.com through ADMT because you are doing intra forest migration
Check this question:
https://www.experts-exchange.com/questions/28982077/ADMT-Intra-Forest-migration-questions.html
Mahesh.
ASKER
this will be new AD FOREST what I am asking is if I create user in domain.com can it be replicated through ISTG to domain1.com
What you are looking for is not possible out of the box
because both forests directory partitions are different and cannot replicate between each other
You need FIM / MIM which can sync / provision users from one forest to another over forest trust
Mahesh.
because both forests directory partitions are different and cannot replicate between each other
You need FIM / MIM which can sync / provision users from one forest to another over forest trust
Mahesh.
ASKER
so replication works between same domains?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I accepted your solution. but I am kind of confused with your remark.
“If you are creating new AD forest, then I don't see any issues with replication
Both forests will have their own AD sites within their own boundaries and nothing will break
You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)” – this sentence confused me.- so no auto replication as both domains are in different forest.-am I correct
“if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted”- this means all AD partitions except domain partition will replicate between domains in same forest -am I correct?
I want to check whether domain1.com is added as separate forest or just as separate domain in same forest
How should I check
“If you are creating new AD forest, then I don't see any issues with replication
Both forests will have their own AD sites within their own boundaries and nothing will break
You can have forest trust between both domains and can use ADMT for resource migration (Inter forest migration)” – this sentence confused me.- so no auto replication as both domains are in different forest.-am I correct
“if you are adding new Tree root domain in existing forest, then definitely AD replication topology will be impacted”- this means all AD partitions except domain partition will replicate between domains in same forest -am I correct?
I want to check whether domain1.com is added as separate forest or just as separate domain in same forest
How should I check
ASKER
thank you Mahesh , but then again I am back to square 1. if domains are in separate forests then no replication and if multiple domains are in same forest then domain partition wont replicate? which I want users from domain.com to domain1.com
so I have to do manually through ADMT , I have no choice.
so I have to do manually through ADMT , I have no choice.
if users in different forest, you can use FIM / MIM to replicate users with continuous sync or you can use ADMT which will migrate (Copy) users from source to target domain
If users are part of same forest in multiple domains, ADMT cannot copy the users, ADMT can only move users from source to target domain in same forest, but still here also you can provision and sync users with FIM / MIM - FIM / MIM is nothing but Microsoft identity manager which can provision / sync accounts between domains
If users are part of same forest in multiple domains, ADMT cannot copy the users, ADMT can only move users from source to target domain in same forest, but still here also you can provision and sync users with FIM / MIM - FIM / MIM is nothing but Microsoft identity manager which can provision / sync accounts between domains
ASKER
last question Mahesh,
so in different forest scenario, admt will copy user objects and in different domains in same forest ADMT will move the objects
so what is diiferent?
so in different forest scenario, admt will copy user objects and in different domains in same forest ADMT will move the objects
so what is diiferent?
So, in case of inter forest migration, source account and target account both are available for use
User can use both accounts in source and target forests respectively
In short source services will not be impacted by migration
In domains between same forest, once account moved from source to target, source services / resources cannot be accessed with source account because it is no longer available in source after movement
Ex:
In source domain A, userA used to logon on computerA as domainA\userA
Now you moved userA to domain B, now if userA want to logon to computerA which is in domain A, he need to use domainB\userA
This is just example, you can get Idea from this
Finally its depends on your scenario whether you need to move accounts between same forest or you need to create new forest and migrate (copy) accounts across forests
If you have confusion here, then its good time to hire AD architect which can design your AD topology
Mahesh.
User can use both accounts in source and target forests respectively
In short source services will not be impacted by migration
In domains between same forest, once account moved from source to target, source services / resources cannot be accessed with source account because it is no longer available in source after movement
Ex:
In source domain A, userA used to logon on computerA as domainA\userA
Now you moved userA to domain B, now if userA want to logon to computerA which is in domain A, he need to use domainB\userA
This is just example, you can get Idea from this
Finally its depends on your scenario whether you need to move accounts between same forest or you need to create new forest and migrate (copy) accounts across forests
If you have confusion here, then its good time to hire AD architect which can design your AD topology
Mahesh.
ASKER
thanks that helped
For ADMT to work you need a two-way trust without SID filtering. SID filtering will prevent SID history from working.
I prefer to use conditional forwarders within DNS to allow cross domain lookups.
As for PES, it monitors password changes on domain and syncs it to the other domain.
None of these are a constant sync