Some more answers inline below...
From: [email protected] [mailto:[email protected]] On Behalf Of Edward Ned Harvey (lopser) Sent: Sunday, January 20, 2013 11:40 AM To: LOPSA Technical Discussions ([email protected]) Subject: [lopsa-tech] AD Migration Option 1, create a new domain and force everybody onto it (or force everyone onto one of the existing domains). Obviously includes both administrative headache and also user impact, as anybody who's forced to change domains will be essentially logging in with new credentials (yes, a new user SID) and getting a new user profile (not necessarily, see below). Which they won't like. But might be forced into. Option 2, build trusts between the domains ... This is the option I'm more interested in talking about, because I've never done this before. How is this different from a forest? I guess that's question #1: What's the difference between multiple domains in a forest, versus trust relationships between domains? OK, a "forest" is a collection of AD domains (either all rooted off a common DNS domain, or could be rooted on separate DNS domains) that share a common security boundry. So, unlike the old NT 4.0 days where you had to manually maintain trust relationships between domains, since by default the domains (being a security boundry) did not trust each other, all domains in a forest automatically have a trust relationship. Domains become a replication boundry only. (Of course, you can use permissions to restrict who can do what between domains.) When the domain is initially created, you specify whether it is to become a part of an existing forest, or is to become the first domain (known as the "root" domain) in a new forest. So, of course, you can have "forests" containing only one domain. I do not believe you can "re-home" an existing domain into an existing forest however (I'm a bit rusty on modern [Server 2008 - Server 2012] AD concepts however, so please double-check that.) I'm familiar with the idea, when you login to your laptop, you specify the domain you're logging into. But your laptop can only be joined to one domain, right? Correct; any AD object (such as a machine account) only exists in one domain. So, can a different user from a different domain also login to that laptop, by specifying a different domain? Yes, as long as there is a valid trust relationship between the two domains (machine and user) Can you make group policy applied to the forest, which will consequently be applied to all the domains simultaneously? I do not believe so (see prior caveat) - GPO only is applied to domains AFAIK Based on my understanding, in Option 1, there is no graceful way to change from one domain to another while preserving the user id and profile. Yes, you can script something to make new user accounts in a new domain, based on usernames and properties of users in an old domain ... But the new user accounts are in fact new user accounts, so when the user logs into the new domain, they lose all their profile settings, etc. Not true - please take a look at Microsoft's "User State Migration Tool" (http://en.wikipedia.org/wiki/User_State_Migration_Tool) Also, companies like Quest have commercial software offerings that do this (see http://www.quest.com/migration-manager-for-active-directory for instance) HTH, Will
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
