Windows Server 2003 DC transfer from one forest to other
Dear All,
Please help me for the below scenario.
I am a child domain in the worldwide forest of my company. i have 2 DC in my domain. I have multiple users in my domain and i am using Exchange Server 2003 for the email. And the main Exchange server is also on co-location of our company.
Now our parent company management is changed, so i have to separate my domain and exchange from the existing company's forest. there are two possible scenario's:
i will transfer my domain from this forest to New company forest. Is it possible through ADMT? And how please refer me to some detail step by step procedure.I will make my DC the first DC in the forest(i mean i will create my own forest using my existing DC's and same domain name). For this purpose i dont know the way to go through,how can i achieve this please help?
Also please tell me if there are any other possible problems i can face after getting separate from the forest.
Best Regards,
Rashid Ali
May 11th, 2012 10:04am
Hello,
i will transfer my domain from this forest to New company forest. Is it possible through ADMT? And how please refer me to some detail step by step procedure.
You can create a new domain in a new forest and then migrate your AD resources using ADMT to the new domain.
Note that the new domain should have:
Different SIDDifferent DNS nameDifferent NetBIOS name
You have to prepare a migration plan. Details in the official guide: http://www.microsoft.com/en-us/download/details.aspx?id=19188
I will make my DC the first DC in the forest(i mean i will create my own forest using my existing DC's and same domain name). For this purpose i dont know the way to go through,how can i achieve this please help?
If you want to use an existing DC then you will have to demote it and then to create a new domain in a new AD forest on it.
Before demoting it, you will need:
To transfer FSMO roles to another DC if it is an FSMO holder. Run netdom query fsmo
to get the list of FSMO holdersCheck that there is at least a healthy DC / DNS / GC server in your actual AD domain. For diagnosis, you can run
dcdiag /v /e on DCs you have
There is no issue by having a new AD forest. Just see if you will need migrating applications and if they support interaction with users in a separate AD forest.
Don't forget to create the trust relationship between forests! You can create a Forest trust relationship if your FFL is Windows Server 2003 or higher.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 10:17am
Hi,
Thanks for the prompt reply. i understood the first of the solution and i believe i am loosing non of my user of AD objects in scenario1.
In the second solution u have provided me is also understood, but i think i will loose all the AD user and settings in this procedure. is it so?
Please note that i don't want to loose any AD object, specially the users because i am running the email as well. and also want to give minimum down time to my users.
Please also refer to any of the KB articles for ADMT migration and New forest creation if there are any.
Thank you.
Rashid
May 11th, 2012 10:33am
There is AD object loss when migrating using ADMT.
You asked if you were able to use an existing DC for the new forest. I said no since it is already a DC for a domain. So, if this is your question then you will need to demote it. If this is the only DC that you have in this domain then of course you will
lose your AD domain.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 10:44am
i have 2 DC's in my domain as i have already mentioned in above post.
Is there any way not to loose my AD objects specially users.
Regards,
May 11th, 2012 11:16am
i have 2 DC's in my domain as i have already mentioned in above post.
Is there any way not to loose my AD objects specially users.
Regards,
Since you don't demote the two DCs, there is no issue with your current AD objects.
If you want to demote a DC then please check that the other is a DC / DNS / GC server and run
dcdiag /v against them to check if there is any problem before demoting.
For ADMT, it will not delete your users since it creates copies of them.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 11:22am
Objective-
Create new domain with same name in new/separate forest
Retain AD objects from existing domain.
Solution-
Create new domain
Establish trust with existing domain/forestUse ADMT to migrate AD objects to new domain
Problems-
To use ADMT to migrate AD objects to another domain, the 2 domain names CAN'T be same.
You have 2 DCs, which cannot be used for new domain as one DC wont work with 2 domains.
Workaround-
Create new domain with a different name. e.g. if your existing domain name is abc.contoso.com, you can create new domain with name abc.com or abc.net etc. This way you will be
able to migrate the AD objects to new domain without issues.Your existing domain can work with single DC as well hence you can demote the second DC, remove it from the domain and promote it for new domain, once ADMT AD object migration
is done you can use both DCs in the new domain as old domain wont be used.
-
Sachin Gadhave
MCP, MCSA, MCTS
May 11th, 2012 12:37pm
Hi,
Thank you for the feedback.
Sachin: can you please suggest that is it possible that i simply disconnect my existing domain abc.com from the forest (the connectivity with the co-location is through a firewall that is making a VPN with my co-location. to disconnect i simply bypass the
firewall.)
If i disconnect as i mentioned. will my domain abc.com operate separately? can i make my domain abc.com a first domain in the forest/ (i mean can i make the forest on this existing domain)
Please suggest.
Regards,
Rashid Ali
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 4:24am
Hi,
Thank you for the feedback.
Sachin: can you please suggest that is it possible that i simply disconnect my existing domain abc.com from the forest (the connectivity with the co-location is through a firewall that is making a VPN with my co-location. to disconnect i simply bypass the
firewall.)
If i disconnect as i mentioned. will my domain abc.com operate separately? can i make my domain abc.com a first domain in the forest/ (i mean can i make the forest on this existing domain)
Please suggest.
Regards,
Rashid Ali
No!
Domain is AD logical structure which is reliant part of AD forest that it was created in. You cannot simply detach it. It cannot work separately, the only way is to migrate it as described in my
earlier reply.
Sachin Gadhave
MCP, MCSA, MCTS
May 14th, 2012 4:34am
Thank you again sachin,
i understood what you said. but the problem is i want to use the same domain name that is my registered domain name. so i demote one of my DC that is BDC and dcpromo it for the new forest but is it possible i give it to the same abc.com domain name (as it
is registered from us)?
As simultaneously my PDC is running already with the same domain name.:-( how i will manage this conflict?
Regards,
Rashid
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 8:16am
You said your domain is the child domain in worldwide company forest, so for example- if your forest root domain is contoso.com then your child domain is pakistan.contoso.com. So what you can do is promote your new DC with root domain name as pakistan.com,
then the old domain FQDN i.e. pakistan.contoso.com and the new domain FQDN i.e. pakistan.com will be different. Then the migration should work.
Hope you got my point.Sachin Gadhave
MCP, MCSA, MCTS
May 14th, 2012 8:25am
Hi sachin,
you are absolutely right but in our company each of the country has a separate domain name as i have pakistan.com same as india.com and so on. but we all are connected via VPN at our co-location netherlands.com
will my domain Pakistan.com work separately if i bypass the firewall connecting me to netherlands.com?
Regards,
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 4:05am
Yes after migrating to seperate Pakistan.com domain you can establish active directory trust with netherlands.com domain to connect and share resources. For this, as you said you will need to setup physical connectivity, DNS name resoultion and open firewall
for your domain.Sachin Gadhave
MCP, MCSA, MCTS
May 15th, 2012 4:15am
i am sorry to say but u might not understand my last question.
Well i have already have a trust between my domain abpakistan.com and ab.com(mother domain of our company).
Now i will simply going to disconnected with ab.com (my question is that abpakistan.com will work properly?)
if it does't work i will surly transfer my ADS to another DC. for this purpose i will demote one of my DC in abpakistan.com and make a new installation on this machine. then i will promote it as a new domain e.g. xypakistan.com. now i want to transfer the
object of abpakistan.com to xypakistan.com. how these two different domains communicate?
do i plug the xypakistan.com in the same LAN of abpakistan.com? and they will start communicating?
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 8:40am
Now i will simply going to disconnected with ab.com (my question is that abpakistan.com will work properly?)
We never said this is possible, this is not an option. Read my previous posts. You cannot disconnect a domain from it's forest.
if it does't work i will surly transfer my ADS to another DC. for this purpose i will demote one of my DC in abpakistan.com and make a new installation on this machine. then i will promote it as a new domain e.g. xypakistan.com. now i want to
transfer the object of abpakistan.com to xypakistan.com. how these two different domains communicate?
This is what you have to!!!!
do i plug the xypakistan.com in the same LAN of abpakistan.com? and they will start communicating?
Yes as I said you need to have network connectivity between both domains, you can promote the new DC/domain in the same LAN also. Then you would need to establish trust between the old and new domain in order to migrate the AD objects.
Look at these links for migartion help-
http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc974412(v=ws.10).aspx
Sachin Gadhave
MCP, MCSA, MCTS
May 15th, 2012 9:11am
Thank you very much for the confirmation sachin :-)
let me add a test server in my domain before they get me out from the existing forest.....just tell me two last thing.
if i add a test server in existing environment with the same domain name ab.com will it work or i have to use any other domain name (i am asking this because i have the hosting of ab.com)In AD objects migration it will create a copy of the objects in the new server or IT WILL MOVE THE OBJECTS FROM EXISTING? (or ADMT gives both options)
Regards,
Rashid
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 10:56am
Thanks for the advice guys!Art Market
May 15th, 2012 12:19pm
You can create a new domain with any other name than the source domain for ADMT migration as i said earlier. You can create it within the same network but it has to be a new domain in new forest with separate DNS, later you will enable setup trust between
the old and new domain.
My understanding is that for intraforest (domains within the same forest) migration objects are moved , you cannot create a copy. In interforest (domains from separate forests) migration you can migrate copies of the object keeping the exisitng object intact.
I suggest you spend some time planning the entire process because it tends to get complicated as there are many things in consideration here- go through all these articles to plan the migratin -
Download ADMT 3.2 here - http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
Best Practices for Active Directory Migration - http://technet.microsoft.com/pt-pt/library/cc974412%28WS.10%29.aspx
Checklist: Performing an Interforest Migration - http://technet.microsoft.com/pt-pt/library/cc974327%28WS.10%29.aspx
ADMT Guide: Migrating and Restructuring Active Directory Domains - http://technet.microsoft.com/en-us/library/cc974332%28WS.10%29.aspx
Sachin Gadhave
MCP, MCSA, MCTS
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 12:51pm