Want to create a new AD site to replace my current one

C

ciggwin

Supreme [H]ardness
Joined
May 30, 2006
Messages
4,861
I am interested in what I would have to do in order to create a new AD site from the ground up - to replace my current one.

The reasons why I would want to do this are to have a fresh start where I could make the domain a .local instead of a domain.domain.com as it is now. It would also enable me to clean up AD because we have a lot of old accounts/systems in there that have been there since before I started and I am not sure what they do, if they do anything at all. The domain is also a Windows 2000 native domain and I would be able to create a Windows 2008 R2 domain.

I know I would have to recreate all my users, distribution lists, and security groups. We use Exchange Online so there is no Exchange server to deal with. The only thing that I think would be a problem is the data server - how would I take the data server on DomainA and move it over to DomainB to work with all the new accounts? Would I strip permissions, take ownership with the new domain admin account, and then redistribute permissions?

I would be buying a new server and turning it into a DC/DHCP/DNS server for DomainB - the only other server would be the file server.

Good idea? Bad idea? Am I asking for more trouble than it is worth?

 
You want two domains?

The data will move over to the other server just fine, the only thing you would have and issue with is if the files had some crazy NTFS level permissions.

Another thing would be if you make the user accounts the same on the new server you will need to rename the profile folders on the local machines to .old or something so they don't try to use old data from the old server.
 
I would say it's more trouble than it's worth. Yes, file permissions would be a problem. You could use the Active Directory Migration Tool to move users into the new domain. This would create a new SID on the moved account but also keep the old one to retain access to resources in the old domain. User are only part of the problem. There is also the problem with moving all the workstations/servers to get them re-registed in the new domain.

I've done two domain migrations and they are not fun. I would just investigate your current setup and make the necessary changes to clean it up.
 
Tee said:
You want two domains?

The data will move over to the other server just fine, the only thing you would have and issue with is if the files had some crazy NTFS level permissions.

Another thing would be if you make the user accounts the same on the new server you will need to rename the profile folders on the local machines to .old or something so they don't try to use old data from the old server.
Click to expand...

I only want one domain - I will just retire the old one.

We are getting new laptops so I was going to time this with the deployment so I would add all the new laptops to the new domain - I wouldn't have to do anything to the current (old) laptops.

 
ciggwin said:
I only want one domain - I will just retire the old one.

We are getting new laptops so I was going to time this with the deployment so I would add all the new laptops to the new domain - I wouldn't have to do anything to the current (old) laptops.
Click to expand...

I would just run SBS 2011. Plus you will have added feature like VPN, RDP, Public folder shares, OWA, right through internet explorer and it's all single sign on!

If you want to go with 2008 R2 than just build the server install what needs to be installed, update the server, move the files over on the day of install, set the permission on the folders with what you need, setup scripts or group policy for anything else you need such as mapped drives and local permissions for certain users.

Don't forget you need to move PST files, Nk2 files and any other random documents on the local machines as well.

This is just a quick run down ;)
 
You'll need to recreate your directory sync server and ADFS server if you're using Exchange online.
 
If your creating a new domain all security will have to be done from the ground up. Including moving physical servers to the new domain. But if you used AD correctly (or now is the time) group/role security is fairly easy to do/migrate.
 
You must log in or register to reply here.
Back
Top