Company was built up, including some acquisitions, which means there's a disparate and geographically disperse set of independent AD domains. We want to make things "better" basically meaning more centralized, easier to understand and manage consistently.
Option 1, create a new domain and force everybody onto it (or force everyone onto one of the existing domains). Obviously includes both administrative headache and also user impact, as anybody who's forced to change domains will be essentially logging in with new credentials and getting a new user profile. Which they won't like. But might be forced into. Option 2, build trusts between the domains ... This is the option I'm more interested in talking about, because I've never done this before. How is this different from a forest? I guess that's question #1: What's the difference between multiple domains in a forest, versus trust relationships between domains? I'm familiar with the idea, when you login to your laptop, you specify the domain you're logging into. But your laptop can only be joined to one domain, right? So, can a different user from a different domain also login to that laptop, by specifying a different domain? Can you make group policy applied to the forest, which will consequently be applied to all the domains simultaneously? Based on my understanding, in Option 1, there is no graceful way to change from one domain to another while preserving the user id and profile. Yes, you can script something to make new user accounts in a new domain, based on usernames and properties of users in an old domain ... But the new user accounts are in fact new user accounts, so when the user logs into the new domain, they lose all their profile settings, etc.
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
