Orphaned Child Domains into new forest

Discussion in 'Server Migration' started by Guest, Dec 13, 2006.

  1. Guest

    Guest Guest

    Hello. Our company will be acquiring the assets of another company in
    the mid west with divisions in Mexico and North America. WE currently
    have a Windows 2003 AD Forest with no child domains at the present time.
    The company we are acquiring has (6) child domains connected via a
    private routed network and some vpns to their corporate forest. These
    child domains are members of the parent domain/forest at the corporate
    HQ. Basically, what is going to happen is that we are going to install
    our own WAN infrastructure and bring these child domains online onto our
    WAN. The problem is that the primary domain controllers will not be
    accessible once we unplug from the old WAN and plug into the new WAN.
    As a result we will have 6 orphaned child domains. Note too that there
    is one primary exchange 2003 server at OUR corporate HQ and we will be
    exmerging the mailboxes for the child domains into our server. So I am
    not too concerned about the Exchange component. So our questions are as
    follows:

    #1) Once the orphaned CHILD domain is connected to OUR WAN, will it
    continue to function and authenticate users on that child domain? If
    so, what are the potential problems with this? Basically, we do intend
    to bring these child domains into our forest after the WAN migration has
    taken place. But, we would like to run the child domains as they are
    now until we have time to do that (see question #3).

    #2) If they can function as an orphaned child domain for a SHORT while
    can we setup a TRUST from their domain to our domain to allow them to
    authenticate against our exchange server?

    #3) Once the child domains are on our WAN, can we use ADMT 3.0 to bring
    these orphaned CHILD domains into our forest? Is it a huge project?
    There are about 60 computers and 7 servers. Note that there are no
    other exchange servers at these locations. BUT, some locations have SQL
    2000 servers. All servers at these child domains are running Windows
    2003 standard and enterprise.

    #4) Some of these child domains have multiple sites and AD replication
    is happening between them. Will this be an issue?

    #5) Should we push to have these child domains removed from the original
    companies AD BEFORE we cutover the WAN? Will this help us in any way?
    If they can remove the child domains BEFORE the WAN cutover what happens
    to the child domain AD?

    Thanks again for any input on this issue. I am off to Mexico in a
    couple days.

    Cheers,
    Jim
     
    Guest, Dec 13, 2006
    #1
    1. Advertisements

  2. Hi,

    After reading your post, I have one question:

    After you plug the child domain into your WAN, can you contact the root
    domain (of these child domain)? In other words, please make sure you can
    access the whole forest before you try to perform migration. It is not a
    huge project since the clients and memeber server are not too many but
    please make sure you can contact the whole forest remotely.

    Thanks.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 13, 2006
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Hi...Thanks so much for the response. Perhaps I did not explain it
    properly (which is possible at 3AM<g>). Basically, we have not
    unplugged anything yet. I really can't since the current WAN is still
    being used. But, once I unplug the Child domain from it's existing
    FOREST and plug it into the NEW WAN with a completely different forest
    at the corporate location, there is no way the child domain will be able
    to get to the OLD forest. This child domain will be literally cut off
    on an island without being "properly" removed from the OLD forest. The
    IT staff at the current company will have to deal with getting the child
    out of their AD. I am not concerned about that. I am just concerned
    about getting the orphaned child into the new forest/domain. So it will
    be like this.

    Current configuration:
    Current primary domain: domain1.com
    Current CHILD domain: child1.domain1.com

    When we unplug the WAN and join it to the new WAN and forest it will be
    as follows:
    NEW Primary domain: domain2.com
    Child Domain: child1.domain1.com (Has not changed)

    So, as you can see the child domain will be cut off from the old domain
    and running by itself. Initially, I need to know if the child domain
    will continue to operate by authenticating users at that child domain,
    etc. ALSO, I need to know if I can setup a 2 way trust between this
    orphaned child domain and the NEW forest/domain. Is this possible?
    Again, if I unplug the child domain will it continue to function? Will
    AD fail at these sites?


    Thanks again for the time you took to respond.

    Cheers,

    Jim
     
    Guest, Dec 14, 2006
    #3
  4. Hi Jim ,

    I know you want to connect child domain(s) into a different forest.
    However, honestly I don't think it works and I strongly not recommend you
    doing so. My Suggestion as below:

    1. Connect the remote forest with your forest over WAN and create trust
    between the two forests.

    2. If possible , promote a DC of the remote child domain in your location.

    3. Create new child domain(s) in your forests correspond to the remote
    one(s).

    4. Use a tool (like ADMT) to migrate user accounts and other resources into
    your child domain(s).

    Check following article :

    <http://technet2.microsoft.com/WindowsServer/en/Library/cead3dc3-4920-4b7a-b
    6fe-6111d44110b31033.mspx>

    Hope it helps.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 15, 2006
    #4
  5. I know you want to connect child domain(s) into a different forest.
    at this moment it is not possible to "cut-and-paste" domains from one forest
    into another forest... Migration is the only option

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Dec 17, 2006
    #5
  6. Guest

    Guest Guest

    Thank you for the information.

    So you are saying that it would be possible to get those remote domains
    connected to the new WAN "migrated" into our new forest? I really do
    not want to cut-and-paste. I was just wondering if they could run for a
    while with the old child domain info but I scrapped that idea.

    So, my last question is will this type of migration work? In other
    words just connecting the old child domains to the new forest WAN and
    then Migrate?

    One important other question. Each one of these remote child domains is
    running Microsoft SQL Server 2000. Is the ADMT 3.0 going to work OK for
    these servers?

    Cheers

    Jim
     
    Guest, Dec 18, 2006
    #6
  7. Hi ,

    --So, my last question is will this type of migration work? In other
    --words just connecting the old child domains to the new forest WAN and
    --then Migrate?

    Still , will not work. You have to connect the two forests and create
    trusts between them. Then you can start the migration project.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 18, 2006
    #7
  8. Hi Vincent,

    I was thinking in this case to create an external trust between each bought
    child domain and the acquiring company's forest/domain...after that migrate
    everthing needed in the child domains into the acquiring company's
    forest/domain...

    Can you explain why it would not work? I do agree if you are talking about a
    forest trust.

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Dec 18, 2006
    #8
  9. Hi,

    1. As we know, the dc contains schema partition & configuration partition
    which needed to be replicated all through the forest.

    2. For some forest wide universal group membership

    3. If you disconnect the connect to the root domain, KCC error will
    definitely come out.

    For these reasons, I strongly don't recommend such behavior.

    Glad to see your opinion. :)


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 19, 2006
    #9
  10. Guest

    Guest Guest

    Hello and thanks for the response. I am a little confused. Basically,
    we have no way to have both forests online the the same time. We are
    using the same routers for most of the sites and will literally be
    unplugging from one WAN and go right into another. So the forests will
    not be online at the same time. I was thinking I could do just as you
    say Jorge but I have not done this before.

    Vincent, if both forests can not be online at the same time to do the
    migration, is this at all possible? If not it appears that the only
    solution is to completely format the boxes and start from scratch on the
    remote servers? This does not seem right. What happens if a forest
    with several child domains looses it's DC and does not have a backup or
    backup GC? Those child domains would be orphaned like this so I wonder
    what would happen in this case. I know it will be ugly but I would
    think we could recover from this situation.

    Again, we are unplugging from one WAN into another so having both
    forests online at the same time is NOT possible.

    Please let me know what you think and I truly appeciate your support. I
    am heading back to Mexico in a few days for some coordination meetings
    with the IT staff in CA.

    Cheers
    Jim
     
    Guest, Dec 20, 2006
    #10
  11. Guest

    Guest Guest

    Also to follow up.

    We were also wondering if ADMT will not work because both forests CAN
    NOT be online at the same time should we just demote the child to a
    member, unplug the old wan, plug in the new WAN and then just recreate
    the domain under the new forest? This seems like it will work but man
    it will be a lot of work at the workstation level. There are really
    only 50 users but there are 50 workstations where profiles will be
    destroyed, etc.

    There has to be an easier way.

    Jim
     
    Guest, Dec 21, 2006
    #11
  12. I do agree with you on what you said on the long term. A forest cannot live
    without its forest root.

    Reading the poster's post it is a temporary situation he needs to be able to
    migrate (at least that is what I understand) the contents of the child
    domains into his own forest.

    Think about the following:
    You have a forest root domain and a child domain. Each with one DC (bad!)
    and you never backup (BAD!)....The forest root DC (the one and only) dies,
    whereas the child domain and DC remain...
    What would the recommendation be?
    Mine: create a NEW forest root domain (using another name) (and if needed a
    need child domain) and migrate everything from the remaining child domain to
    the new forest.

    Different scenario-> same idea (at least that is what I think)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Dec 21, 2006
    #12
  13. Hi Jim,

    Sorry if my previous conclusion is too unconditional.

    Honestly, I strongly recommend you not to perform as your plan because I'm
    not aware any potential issue will be. As replied to Jorge , I listed
    several problemes come into my mind. For 50 workstation, I think your later
    plan is reliable.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 21, 2006
    #13
  14. Hi,

    You must forgive my unconditional conclusion.:) I maybe a little
    conservative because I'm not aware any potential issue during the migration
    process in this scenario. Especially in product enviroment.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Dec 21, 2006
    #14
  15. no need to forgive. WE are discussing options and hearing each other's
    opinions. ;-)

    although I stand by my first proposal, there is another option to
    consider...

    Wouldn't it be possible for the OTHER company to give you JUST ONE DC from
    forest root domain?
    If they should do it, you can clean the contents of the forest root domain
    and reset the password of the default administrator account.
    Now lets assume some security officer starts screaming and crying about
    this... If he/she does that, I agree with him/her! He/she SHOULD then ALSO
    start screaming by just cutting of the child domains and giving them to some
    other company!
    Why? Because security wise there is not much difference!!!

    Also, the options mentioned until now look like "cloning an existing AD
    structure" <-- security wise this is a PITA and EVERY, and I mean EVERY
    security officer should go crazy with such a proposal!!!
    Besides that, if you cut off the child domains, there is no going back when
    the tombstone lifetime has passed. Well you can, but you'll end up in hell
    just because of the issues you will have concerning replication.



    WANNA KNOW WHAT IMHO THE BEST OPTION IS FOR THIS? (and all divestures and
    acquisitions....)

    The start:
    Selling Company has AD structure
    Buying Company has AD structure
    Sold business unit or company part is part the seling company's AD structure

    The BEST way to go in terms of:
    * Reponsibility
    * Politics
    * And all other crap

    Is for the selling company to:
    * Create an Interim AD structure (one domain, multiple domains, whatever,
    depends on what the buying company wants)
    * Migrate the sold BU or company part from the selling company's AD
    structure to the Interim AD structure

    When finished:
    * Cut of from the selling company's network and connect to the buying
    company's network and hand over Interim AD structure AND responsibility from
    the selling company to the buying company

    The buying company should then:
    * Migrate all the stuff from the interim AD structure to their own AD
    structure
    * Decommission the interim AD structure


    Will it take more time? Probably... but remember... it is safe,
    responsibility is clear, etc, etc.

    Just to give you an idea see (although the example mentioned only is about
    the divesture as the that part of the company continues on its own and will
    not be part of another company):
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/01/Disentaglements-and-Migration-Scenarios.aspx



    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Dec 21, 2006
    #15
  16. Guest

    kj Guest

    Is for the selling company to:
    YES, YES, YES, & YES!! Exactly !!!

    and let the bean counters figure out who will pay for it.
    --
    /kj
    "Jorge de Almeida Pinto [MVP - DS]"
     
    kj, Dec 21, 2006
    #16
  17. Guest

    Guest Guest

    THANK YOU GUYS for all your help!!! I a blessed to have such great insight

    BUT, I have another potential good thing to work with here. Basically,
    at the present time the company is still on the selling companies WAN.
    I now have a point to point VPN connection from the NEW forest location
    to the main office where the child domain exists in the selling
    companies AD. So, BOTH WANS are technically up and running in that
    child domain's location. So I can tweak the router at that location to
    route traffic for the new domain back through the VPN tunnel. So, in
    essence I can have both forests online and available at the same time.
    The OLD forest with it's child domain on one WAN and the NEW forest on
    another WAN connection.

    So, I was thinking of doing the following:

    #1) Run the ADMT 3.0 to COPY all the users, groups and computer objects
    into the NEW forest.
    #2) Then demote the (3) domain controllers (2 at this location and 1 at
    another) to member servers.
    #3) Then join those member servers to the new domain.
    #4) Then promote them to DC's in the new domain. I would like to get
    rid of the child domain concept in this new forest and go with a one
    domain model with delgated OU's.

    Any thoughts on this?

    ALSO, I have not used ADMT before but plan to test test test. Will
    workstations (100 of them) need to disjoin and then rejoin the new
    domain? If that is the case then we will likely need to touch each
    workstation to get the desktop, settings, etc back...Correct? That is a
    huge job. OR, does ADMT bring these computer objects into the new
    domain and allow the user to simply log into the new domain and keep
    their profiles, etc? This is very important.

    Cheers

    Jim
     
    Guest, Dec 22, 2006
    #17
  18. Guest

    Guest Guest

    GOOD news..I am connected FROM the NEW forest to the child domain at the
    old company over the VPN pipe. I set the routes in their router to
    route traffic to the new domain and it works perfect.

    Now, any tips on using ADMT? Am I on the right path with my previous post?

    Thanks again

    Cheers
    Jim
     
    Guest, Dec 22, 2006
    #18
  19. if you can migrate directly and everyone at both companies is happy with
    it... go for it! Start migrating before someone changes his/her mind... ;-)

    be aware that to migrate stuff you need domain administrators equivalent
    permissions and the security guys at the selling company must be happy with
    that! Think about what I said earlier (every domain admin in whatever domain
    MUST be fully trusted!)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Dec 22, 2006
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.