Register

Forgot Password

Site FAQ

Home > IT Answers > Windows Server > AD Migration or Domain Split?

Cevans

0 pts.

AD Migration or Domain Split?

Active Directory, Desktops, DHCP, DNS, Management, Microsoft Windows, Networking services, OS, Security, Servers, SQL Server

We currently have a customer with a single Windows 2000 Active Directory forest and a single domain that contains approx 2000 users spread across several geographically disburse locations worldwide. All locations have a domain controller located locally. We also have Exchange 2003 deployed. The Exchange servers all reside in one centralized location. The 2000 users are spread across a 3x2 Active/Passive cluster. The company has sold off a part of its business. The part of the business that was sold contains approx. 1000 users in 18 different locations throughout the world. I am in no means a newbie to Active Directory migrations. I have performed several migrations in the past and I understand that the best zero-impact way to separate the now two entities would be to build a new domain and migrate the sold resources to the new domain using a tool such as Quest?s Domain Migrator and Exchange Migrator solutions. But performing a migration of this size and scope would take a considerable amount of time, hardware, and money. The biggest issue is the cost of these tools. They are outrageously expensive and when I presented the cost of the migration tools to management they were not excited to say the least. Microsoft?s free ADMT tool doesn?t offer much help here since it doesn?t offer any assistance with migrating Exchange 2003. I hate to even ask this question but in the name of due diligence I must. One option that was considered during the initial pre-sales discussions was that we could simply move the users being sold to a separate Exchange 2003 server, sever the network connections between the entities, seize the FSMO roles on the domain controllers at the newly created entity, do a quite a bit of metadata clean up and we would end up with two different fully functional domains that no longer have a dependency on each other. The thought of this makes me extremely nervous but when I look at the time, cost of performing a migration, and the scope of the migration due to the 18 different locations it definitely seems like an option that should be investigated. My other thought was to try and locate migration tools from another vendor but it appears that Quest is the only vendor that has a migration suite that will allow you to migrate a Windows 2003 and Exchange 2003 domain to another domain and keep the 2 domains and messaging systems in synch during the entire migration process. NetIQ has a limited offering but it only supports migrating from Exchange 5.5 to Exchange 2003 not Exchange 2003 to Exchange 2003. My questions are this: What are my options? Has anyone ever performed a domain split like this successfully? If so, what are the pros, cons, and oh no?s? What other migration solutions are out there?

Software/Hardware used:

ASKED: March 18, 2006 1:38 PM

UPDATED: March 20, 2006 5:02 AM

RELATED QUESTIONS

Answer Wiki:

I have done a domain split taking 3000 users out of an AD forest and into a new forest, while all systems continued to run. We used Quest software, it was however without the Exchange part. But it worked nicely without problems allthough careful planning is essential. Your thought about splitting your present domain into 2 separate domains is a security risk, as SID's etc aren't changed. This means that users potentially have access between the 2 forest. You'll have to review every single ACL unless your company is the 1 company in the world that does everything right. In my opinion the cleanup procedure that this will require will be more costly than the migration tools. Also before doing the migration re-evaluate your sites. you'll want to control logon and validation traffic through site membership to beat long logon times. Ex. keep to remote locations (geographically or nettraffic-wise close) in the same site and then migrate only one of the DC's in the site until all users in the site are migrated - then migrate the last one - I trust you get the picture from this. I would go for the quest option, as it ensures that users can continue their work without interuption, and a successfull migration (that users hardly notice) is worth a lot. Unfortunately if management doesn't recognize this, they will probably only think of it when things went wrong. Make a calculation estimating the cost in lost hours of production and other costs you know off in the different cases and Quest might proff to be the least expensive alternative.

I have done a domain split taking 3000 users out of an AD forest and into a new forest, while all systems continued to run. We used Quest software, it was however without the Exchange part. But it worked nicely without problems allthough careful planning is essential.
Your thought about splitting your present domain into 2 separate domains is a security risk, as SID's etc aren't changed. This means that users potentially have access between the 2 forest. You'll have to review every single ACL unless your company is the 1 company in the world that does everything right. In my opinion the cleanup procedure that this will require will be more costly than the migration tools.
Also before doing the migration re-evaluate your sites. you'll want to control logon and validation traffic through site membership to beat long logon times. Ex. keep to remote locations (geographically or nettraffic-wise close) in the same site and then migrate only one of the DC's in the site until all users in the site are migrated - then migrate the last one - I trust you get the picture from this.
I would go for the quest option, as it ensures that users can continue their work without interuption, and a successfull migration (that users hardly notice) is worth a lot. Unfortunately if management doesn't recognize this, they will probably only think of it when things went wrong.
Make a calculation estimating the cost in lost hours of production and other costs you know off in the different cases and Quest might proff to be the least expensive alternative.

Last Wiki Answer Submitted: March 20, 2006 5:02 am by Jcan123

0 pts.

All Answer Wiki Contributors: Jcan123

0 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags