Trust relationship affected by decommissioning the domain controll

We will be creating two new domain controllers (VMWare virtual machines) and
retiring the current ones.
I'm assuming that as long as we build the new DCs and allow replication
before decommissioning the old ones the trust relationships will remain. I
would rather
ask a potentially "dumb" question than lose all of (and have to recreate)
the current
trust relationships.

Thanks in advance.
--
BStillion
Portland ME

Hi,
can you clarify better your post? What do you mean with "before
decommissioning the old ones the trust relationships will remain"? Are you
replacing the current DC's with new ones on VM in the same domain? If it is
so no trust relationship is needed.

Cheers

"bstillion" wrote:

>
> We will be creating two new domain controllers (VMWare virtual machines) and
> retiring the current ones.
> I'm assuming that as long as we build the new DCs and allow replication
> before decommissioning the old ones the trust relationships will remain. I
> would rather
> ask a potentially "dumb" question than lose all of (and have to recreate)
> the current
> trust relationships.
>
> Thanks in advance.
> --
> BStillion
> Portland ME

I am concerned about the external trusts in place. We have many
inbound and outbound external trusts. I'm clear on the two-way
transitive trusts inherant within the 2003 Forest.

We are replacing the current DCs with VMs and I'm wondering
how that will impact our external trusts.

--
BStillion
Portland ME


"Franc" wrote:

> Hi,
> can you clarify better your post? What do you mean with "before
> decommissioning the old ones the trust relationships will remain"? Are you
> replacing the current DC's with new ones on VM in the same domain? If it is
> so no trust relationship is needed.
>
> Cheers
>
> "bstillion" wrote:
>
> >
> > We will be creating two new domain controllers (VMWare virtual machines) and
> > retiring the current ones.
> > I'm assuming that as long as we build the new DCs and allow replication
> > before decommissioning the old ones the trust relationships will remain. I
> > would rather
> > ask a potentially "dumb" question than lose all of (and have to recreate)
> > the current
> > trust relationships.
> >
> > Thanks in advance.
> > --
> > BStillion
> > Portland ME

Ok, now i catch your concern.
Trusts are Forest or Domain-wide, not Domain Controller specific. As far as
you will promote and demote DC's (new and old) correctly, and move if needed
FSMO roles (and GC) i can't see any problem.
--
Hope this help


"bstillion" wrote:

>
> I am concerned about the external trusts in place. We have many
> inbound and outbound external trusts. I'm clear on the two-way
> transitive trusts inherant within the 2003 Forest.
>
> We are replacing the current DCs with VMs and I'm wondering
> how that will impact our external trusts.
>
> --
> BStillion
> Portland ME
>
>
> "Franc" wrote:
>
> > Hi,
> > can you clarify better your post? What do you mean with "before
> > decommissioning the old ones the trust relationships will remain"? Are you
> > replacing the current DC's with new ones on VM in the same domain? If it is
> > so no trust relationship is needed.
> >
> > Cheers
> >
> > "bstillion" wrote:
> >
> > >
> > > We will be creating two new domain controllers (VMWare virtual machines) and
> > > retiring the current ones.
> > > I'm assuming that as long as we build the new DCs and allow replication
> > > before decommissioning the old ones the trust relationships will remain. I
> > > would rather
> > > ask a potentially "dumb" question than lose all of (and have to recreate)
> > > the current
> > > trust relationships.
> > >
> > > Thanks in advance.
> > > --
> > > BStillion
> > > Portland ME

Hello bstillion,

If you use also trust in the domain, they will not be effected.

BTW, DC's as VM are ok, but at least one physical machine should exist which
has the FSMO roles:

Load and criticality may dictate that some roles be deployed on physical
hardware.
Global Catalogs - Evaluate whether Exchange facing Global Catalogs in your
deployment can be deployed on VM's or physical hardware.
FSMO roles - The load for FSMO roles is relatively light except for the primary
domain controller which receives password updates for users, computers and
trusts following password changes. Additionally, the PDC is consulted by
remote DC's if user or computers logon with mismatched passwords.

The RID and Schema FSMO availability are used infrequently but are critical
when required.
DNS Server - Both the DNS client and DNS Server cache queries. DNS Servers
provide their best performance when sufficient memory is available to cache
the contents of DNS zones. The loading of AD-integrated zones is delayed
unless Active Directory 1st inbound replicates. The DNS Client settings on
a DNS Server should point to multiple DNS Servers that can resolve the CNAME
records of replication partners to their IP addresses.

From
http://support.microsoft.com/kb/888794

Also see here:
http://www.microsoft.com/downloads/d...displaylang=en

Do not forget to move the FSMO roles to the new ones and also make them Global
catalog and DNS server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We will be creating two new domain controllers (VMWare virtual
> machines) and
> retiring the current ones.
> I'm assuming that as long as we build the new DCs and allow
> replication
> before decommissioning the old ones the trust relationships will
> remain. I
> would rather
> ask a potentially "dumb" question than lose all of (and have to
> recreate)
> the current
> trust relationships.
> Thanks in advance.
>

Thanks for the feedback!

I thought the trusts were not domain controller centric but wanted to
be sure.

I will present the information concerning making both (2 of 2) DCs
virtual.
I am planning the process and am including moving the FSMO roles
and Global Catalog function before powering off the old boxes. These DCs
do not host the Forest Wide FSMO roles so that will stay as is. I will need
to move only the domain level FSMOs.

Thanks again.
--
BStillion
Portland ME


"Meinolf Weber [MVP-DS]" wrote:

> Hello bstillion,
>
> If you use also trust in the domain, they will not be effected.
>
> BTW, DC's as VM are ok, but at least one physical machine should exist which
> has the FSMO roles:
>
> Load and criticality may dictate that some roles be deployed on physical
> hardware.
> Global Catalogs - Evaluate whether Exchange facing Global Catalogs in your
> deployment can be deployed on VM's or physical hardware.
> FSMO roles - The load for FSMO roles is relatively light except for the primary
> domain controller which receives password updates for users, computers and
> trusts following password changes. Additionally, the PDC is consulted by
> remote DC's if user or computers logon with mismatched passwords.
>
> The RID and Schema FSMO availability are used infrequently but are critical
> when required.
> DNS Server - Both the DNS client and DNS Server cache queries. DNS Servers
> provide their best performance when sufficient memory is available to cache
> the contents of DNS zones. The loading of AD-integrated zones is delayed
> unless Active Directory 1st inbound replicates. The DNS Client settings on
> a DNS Server should point to multiple DNS Servers that can resolve the CNAME
> records of replication partners to their IP addresses.
>
> From
> http://support.microsoft.com/kb/888794
>
> Also see here:
> http://www.microsoft.com/downloads/d...displaylang=en
>
> Do not forget to move the FSMO roles to the new ones and also make them Global
> catalog and DNS server.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We will be creating two new domain controllers (VMWare virtual
> > machines) and
> > retiring the current ones.
> > I'm assuming that as long as we build the new DCs and allow
> > replication
> > before decommissioning the old ones the trust relationships will
> > remain. I
> > would rather
> > ask a potentially "dumb" question than lose all of (and have to
> > recreate)
> > the current
> > trust relationships.
> > Thanks in advance.
> >
>
>
>