gracefully removing a child domain

Discussion in 'Active Directory' started by Jon, Jun 16, 2006.

  1. Jon

    Jon Guest

    My company is preparing to acquire another company. Both my forest and the
    forest from which company x will be leaving are W2K. I would like to think
    that on the cut over day this could be a graceful move. However, experience
    has taught me otherwise. How do I prepare for this day? Is the only solution
    creating a new child domain of my forest and using ADMT to transfer their
    accounts prior to cut over? If they can run as usual within their domain
    after the cut over, this would be fine. As I am planning to deploy 2k3 in the
    next couple of months. I need to limit the impact to the acquired company as
    much as possible.
     
    Jon, Jun 16, 2006
    #1
    1. Advertisements

  2. In
    There's more to this than meets the eye. Do both orgs have their own
    Exchange services? That complicates it a bit. If absorbing the other
    company, are they still to remain a separate entity but part of your org? If
    so, a separate (child) domain would be in order, if not, and you would want
    central administration along with the same password policies, migrate them
    into your current domain, but organize them in a separate OU.

    You can also migrate the users into a child or your current domain, but opt
    to keep the SIDHistory. THis way, the new users in the new domain can still
    access resources in the old, unless you are just moving everything over.

    Then with Exchange, you have to figure out what to do with the mailboxes. In
    your scnerio, it would appear we can use the ADMT methiod with Exmerge to
    move mailboxes over to your forest (child domain or current domain).

    These are just a couple of scenarios, and there are numerous possibilities
    when designing, depending on your business model and what your company
    expects out of the end results. To make it easier, yes, I would consolidate
    them now, one way or another, prior to a 2003 upgrade OR migration,
    depending on how you are doing it. If you have a large user base, an upgrade
    would be beneficial, of small, a migration would be easier to clean out the
    old and bring in the new, so to speak.

    Here are some links to read over:

    325379 - How to Upgrade Windows 2000 Domain Controllers to Windows Server
    2003:
    http://support.microsoft.com/?kbid=325379

    PPT Presentation - Active Directory Design and Deployment- Tales of the
    Unexpected:
    http://download.microsoft.com/download/0/9/9/099fd9b9-63d9-49fe-9213-6d127a91f0bd/MGT307.ppt

    Active Directory Learn the Basics and Master Advanced Concepts (all
    webcasts - look for the migration/upgrade ones):
    http://www.microsoft.com/events/series/adaug.mspx

    Tools and Documentation for Upgrading to Windows Server 2003 (general link):
    http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/default.mspx

    Deploying the Windows Server 2003 Forest Root Domain:
    http://www.microsoft.com/technet/tr...3/proddocs/deployguide/dssbl_dfr_overview.asp

    328871 - HOW TO Use the Exchange Migration Wizard to Migrate Mailboxes From
    an Exchange Organization:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;328871

    Common Mistakes when Upgrading from Exchange 55 or 2000 to Exchange 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555262

    314649 - Windows Server 2003 adprep -forestprep Command Causes Mangled
    Attributes in Windows 2000 Forests That Contain Exchange:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;314649

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
     
    Ace Fekay [MVP], Jun 16, 2006
    #2
    1. Advertisements

  3. Jon

    Jorge Silva Guest

    Hi

    The best that you can do with 2 different forests in this scenario, is to
    create a external trust, 2 way direction , you don't need to create a child
    domain in your forest, unless security needs are different from yours.

    - To migrate accounts and mailboxes from one Exchange 2000 or Exchange 2003
    forest to a separate Exchange 2000 or Exchange 2003 forest, it is
    recommended that you first use the Active Directory Migration Tool (ADMT),
    followed by the Exchange Migration Wizard.

    First, run ADMT to create active user accounts in Active Directory. It is
    recommended that you select the option for migrating security identifiers
    (SIDs) so that ADMT adds the source account's SID to the new target
    account's SID history attribute. (Migration Wizard uses the SID to match
    mailboxes).

    - It is also recommended that you do not disable the user account in the
    source forest when you run ADMT. Exchange 2003 does not support disabled
    mailbox accounts without associated external account.

    - After you migrate the accounts, use Migration Wizard to migrate mailboxes.
    If you migrated SIDs when you ran ADMT, Migration Wizard uses the SIDs to
    match mailboxes to the new accounts and converts the accounts to
    mailbox-enabled user accounts. If you did not migrate the SIDs , Migration
    Wizard cannot match a mailbox to an account; instead, the wizard creates a
    disabled user account to associate with the mailbox.

    Active Directory Migration Tool (ADMT).
    http://www.microsoft.com/downloads/...b1-5849-4707-9817-8c9773c25c6c&displaylang=en




    Here's some information for upgrade 2000 ->2003

    Informative Sites:

    Best Practice Active Directory Design for Managing Windows Networks

    http://www.microsoft.com/technet/pr...gies/activedirectory/plan/bpaddsgn.mspx#E1AAG

    Windows Server 2003 Tools

    http://www.microsoft.com/technet/downloads/winsrvr/tools/default.mspx

    Windows Server 2003

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003



    Considerations:

    - Install the latest service pack.

    http://www.microsoft.com/downloads

    - Check Hardware.

    Windows Catalog and HCL

    http://www.microsoft.com/whdc/hcl/default.mspx

    Active Directory Sizer

    http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/adsizer-o.asp

    Windows Application Compatibility

    http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx

    Microsoft File Server Migration Toolkit

    http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx

    How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003

    http://support.microsoft.com/?id=325379



    Upgrade or migrate?

    Reasons to Upgrade

    Especially for small organizations, the ease of an upgrade rather than a new
    installation can make sense. Generally, with an upgrade, configuration is
    simpler, and your existing users, settings, groups, rights, and permissions
    are retained. Also, with an upgrade, you do not need to re-install files and
    applications.

    Reasons to Migrate

    There are good reasons to migrate rather than upgrade-especially when
    dealing with large organizations. If you want to practice careful
    configuration management, for example, for a server where high availability
    is important, you might want to perform a new installation on that server
    instead of an upgrade. This is especially true for servers on which the
    operating system has been upgraded several times in the past.

    Active Directory Migration Tool v.2.0

    http://www.microsoft.com/downloads/...b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

    Active Directory Migration Tool v3.0

    http://www.microsoft.com/downloads/...7B-533A-466D-A8E8-AFF85AD3D212&displaylang=en



    Planning:

    * Backup the Servers.

    * If you can take at least one DC Offline (In case of UPGRADE FAILURE you
    always seize the roles, and return to previous state.) The only drawback to
    this method is that all changes that were made while the safe DC was offline
    are lost. To minimize this loss, you could periodically turn the safe BDC on
    and off (when the domain is in a stable state) during the upgrade process,
    to update its safe copy of the directory.

    * Make sure that the Hardware and apps meet the requirements.

    * Run from command prompt:

    Cdsource\I386\winnt32.exe /checkupgradeonly

    * Make sure that all Apps installed are compatible with W2K3 and don't cause
    problems with the upgrade process or pos upgrade process.

    * Make sure that existent clients have compatibility with SMB signing, Each
    Windows Server 2003 domain controller enables SMB signing in its local
    security policy by default.

    How to enable Windows 98/ME/NT clients to logon to Windows 2003 based
    Domains

    http://support.microsoft.com/?id=555038

    * Document everything network related (users, groups, permissions,
    printers,etc).

    * How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003

    http://support.microsoft.com/?id=325379

    * Initial synchronization requirements for Windows 2000 Server and Windows
    Server 2003 operations master role holders

    http://support.microsoft.com/default.aspx?scid=kb;en-us;305476

    * Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040



    *If you have exchange 5.5/2000 or upgrading to Exchange 2003 check:

    Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in
    Windows 2000 Forests That Contain Exchange 2000 Servers

    http://support.microsoft.com/?id=314649

    How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003

    http://support.microsoft.com/?id=325379

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

    Common Mistakes When Upgrading Exchange 5.5/2000 To a Exchange 2003

    http://support.microsoft.com/?id=555262

    Considerations when you upgrade to Exchange Server 2003

    http://support.microsoft.com/?id=822942



    * If you have UNIX

    Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows
    Services for UNIX 2.0 Installed

    http://support.microsoft.com/?id=293783



    * Others

    Incorrect Schema extension for OS X prevents ForestPrep from completing in
    Windows 2000

    http://support.microsoft.com/?id=887426

    Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in
    hotfix 324392

    http://support.microsoft.com/?id=324392





    - Before Upgrade:

    * Verify the end-to-end Active Directory replication throughout the forest.

    REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTA

    All the domain controllers in the forest must replicate Active Directory
    without error, and the values in the "Largest Delta" column of the repadmin
    output should not be significantly greater than the replication frequency on
    the corresponding site links or connection objects that are used by a given
    destination domain controller.



    * Resolve all replication errors between domain controllers that have failed
    to inbound replicate in less than Tombstone Lifetime (TSL) number of days
    (by default, 60 days). If replication cannot be made to function, you may
    have to forcibly demote the domain controllers and remove them from the
    forest by using the Ntdsutil metadata cleanup command, and then promote them
    back into the forest. You can use a forceful demotion to save both the
    operating system installation and the programs that are on an orphaned
    domain controller. For more information about how to remove orphaned Windows
    2000 domain controllers from their domain, click the following article
    number to view the article in the Microsoft Knowledge Base:

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion

    http://support.microsoft.com/kb/216498/



    * Verify that the contents of the Sysvol share are consistent

    DCDIAG.EXE /e /test:frssysvol


    * Inventory and test the operations roles.

    DCDIAG /test:FSMOCHECK

    NETDOM QUERY FSMO


    * Verify that the schema master and each infrastructure master has performed
    inbound replication of Active Directory since last booted.

    REPADMIN /SHOWREPS DCNAME

    For more information about operations masters and their placement.

    Description Active Directory FSMO roles

    http://support.microsoft.com/kb/197132/

    FSMO placement and optimization on Active Directory domain controllers

    http://support.microsoft.com/kb/223346/



    * Examine the event logs on all the domain controllers for problematic
    events.

    * The volume that hosts the Active Directory database file, Ntds.dit, must
    have free space equal to at least 15-20% of the Ntds.dit file size. The
    volume that hosts the Active Directory log file must also have free space
    equal to at least 15-20% of the Ntds.dit file size. For additional
    information about how to free up additional disk space, see the "Domain
    Controllers Without Sufficient Disk Space" section of this article.



    * You can install a new computer (more powerful) make it a an additional DC
    of the existent Domain then you can use that server to perform the upgrade



    - Dns Planning:

    Prior to beginning the moving from Windows 2000 to the Windows Server 2003
    Active Directory service, ensure that you have designed a DNS and Active
    Directory namespace and have either configured DNS servers or are planning
    to have the Active Directory Installation Wizard automatically install the
    DNS service on the domain controller.

    Active Directory is integrated with DNS in the following ways:

    Active Directory and DNS have the same hierarchical structure. Although
    separate and implemented differently for different purposes, an
    organization's namespace for DNS and Active Directory have an identical
    structure. For example, microsoft.com is both a DNS domain and an Active
    Directory domain.

    DNS zones can be stored in Active Directory. If you are using the Windows
    Server DNS service, primary zone files can be stored in Active Directory for
    replication to other Active Directory domain controllers.

    Active Directory uses DNS as a locator service, resolving Active Directory
    domain, site, and service names to an IP address. To log on to an Active
    Directory domain, an Active Directory client queries its configured DNS
    server for the IP address of the Lightweight Directory Access Protocol
    (LDAP) service running on a domain controller for a specified domain.

    While Active Directory is integrated with DNS and they share the same
    namespace structure, it is important to distinguish the basic difference
    between them:

    DNS is a name resolution service. DNS clients send DNS name queries to their
    configured DNS server. The DNS server receives the name query and either
    resolves the name query through locally stored files or consults another DNS
    server for resolution. DNS does not require Active Directory to function.

    Active Directory is a directory service. Active Directory provides an
    information repository and services to make information available to users
    and applications. Active Directory clients send queries to Active Directory
    servers using LDAP. In order to locate an Active Directory server, an Active
    Directory client queries DNS. Active Directory requires DNS to function.

    If use BIND DNS servers Make sure that you have BIND 8.1.2

    - Supports: Srv records, Dynamic Updates, Doesn't Support
    Secure Dynamic Updates (this is one disadvantage over the MS Dns server
    Servers, and represents security issues).

    - Create Primary Zone

    If Use 2003 DNS

    * Create Primary Zone

    * You can use an pre existent Dns or you can create it during the upgrade
    process.

    * Convert to AD-Integrated.

    * NetDiag /fix (This is an extra measure, to register the necessary dns
    records).

    * Make sure that every domain controller has its DNS properties under NIC
    configuration pointing to itself. (If DC IP Address is 10.0.0.1 then Dns
    should be 10.0.0.1).

    * Make sure that every DNS server can resolve all domains in the forest.
    (Use Forwarding, Stub Zones or Secondary Zones).

    * Make sure that all clients Only uses the local(s) Dns Server.



    How Domain Controllers Are Located in Windows

    http://support.microsoft.com/kb/247811/

    DNS Conditional Forwarding in Windows Server 2003

    http://www.windowsnetworking.com/ar...tional_Forwarding_in_Windows_Server_2003.html

    DNS Stub Zones in Windows Server 2003

    http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

    How To Create a Child Domain in Active Directory and Delegate the DNS
    Namespace to the Child Domain

    http://support.microsoft.com/kb/255248/



    Check:

    Troubleshooting DNS

    http://technet2.microsoft.com/WindowsServer/en/Library/de2aa69d-1155-4dc9-a651-e8362f6a81c81033.mspx

    How to Verify the Creation of SRV Records for a Domain Controller

    http://support.microsoft.com/?id=241515

    Verify DNS server responsiveness using the nslookup command

    http://technet2.microsoft.com/WindowsServer/en/Library/f8761f04-d665-4507-9509-ebb92bbb66ef1033.mspx





    - The Upgrade.

    * Adprep

    http://technet2.microsoft.com/Windo...a8d7-4761-b38a-e207baa734191033.mspx?mfr=true

    * Run the adprep /Forestprep -> Schema Master Role.

    To perform this step you should disable the replication before running the
    /Forestprep switch.

    Check section: Upgrading the forest with the adprep /forestprep command in:

    http://support.microsoft.com/?id=325379

    * Run the adprep /Domainprep -> Infrastructure Master Role.

    Description Active Directory FSMO roles

    http://support.microsoft.com/kb/197132/

    FSMO placement and optimization on Active Directory domain controllers

    http://support.microsoft.com/kb/223346/

    * Make sure that you have 1 GC per site (GCs are needed unless: you only
    have one domain, or the DFL is prior to Windows 2000 or Windows 2003).

    * Make sure that network clients point to the Network Dns server only
    (Usually the DC).

    * Check Dns and AD

    Verifying Active Directory Installation

    http://technet2.microsoft.com/WindowsServer/en/Library/3d157c1a-5c80-4947-ba8b-a02e5fb1dada1033.mspx

    Troubleshooting DNS

    http://technet2.microsoft.com/WindowsServer/en/Library/de2aa69d-1155-4dc9-a651-e8362f6a81c81033.mspx

    How to Verify the Creation of SRV Records for a Domain Controller

    http://support.microsoft.com/?id=241515

    Verify DNS server responsiveness using the nslookup command

    http://technet2.microsoft.com/WindowsServer/en/Library/f8761f04-d665-4507-9509-ebb92bbb66ef1033.mspx


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 16, 2006
    #3
  4. Jon

    Jon Guest

    What if I am on vacation during the acquisition and the parent company breaks
    this trust? The child domain will retain their existing DC's... will they
    continue to operate in a functional state until I have time to address it?



     
    Jon, Jun 19, 2006
    #4
  5. In
    If you are talking about the default forest trust, there is no way to
    "break" it other than dissolving the WAN link or trashing the forest root.
    If they were to trash the root, then the child domain is useless. If they
    were to just dissolve the WAN link, depending on the time not communication
    with the forest root, it can be recovered.

    If not in the same forest, then authentication communication will be lost
    between the orgs if the trust were to be dissolved.

    Ace
     
    Ace Fekay [MVP], Jun 19, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.