Complex domain migration

blargoeblargoe Self-Described HuguenotNC, USAMember Posts: 4,174 ■■■■■■■■■□
I have a single forest with two domain trees - a.com and b.com. 2003 Native domain and forest functional levels, running Exchange 2007 and OCS 2007.

I have a desired end configuration of the b.com domain (or a new domain of the same name) being in a separate forest, with a trust between the two forests so b.com users can mailboxes in the a.com forest, but I'm not seeing a way to do this that won't be hideous to implement.

The only way I can think of is to do a domain rename of the b.com domain to a different name... like b.local... and create a new b.com in a new forest. Then ADMT all the objects from b.local to the new b.com. Domain rename make me shudder though.

Has anyone ever implemented something similar? Politics is going to weigh strongly in favor of keeping the same fqdn and (to a lesser extent) netbios name, but there's going to be a requirement in the future to split that entity and sever our ties so I have to plan ahead.

Thanks
IT guy since 12/00

Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Screw the politics - seriously. What is the business/technical justification for keeping the names the same.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    hell just name it whatever you want, and for the users that will complain give them an alternate UPN suffix ;)
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Hyper-Me wrote: »
    hell just name it whatever you want, and for the users that will complain give them an alternate UPN suffix ;)
    There may be a very good reason why it shouldn't be changed , hence why I was asking what the justification was.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    astorrs wrote: »
    There may be a very good reason why it shouldn't be changed , hence why I was asking what the justification was.

    I know, and you are right.

    Although im willing to bet it cant be changed for political reasons, and at that measure you can fool end users with the upn suffixes.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    blargoe

    wish I could help, but way cool real world scenario! wow thanks
    makes a tech think hard on this one...thanks and good luck!
    icon_study.gif
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Parent company wants all of us to have internal domain name = public domain name.

    In the meanwhile, I'm just hoping we can convince them it's not a good idea to keep that hard requirement in this case, or to let us just do the alternate UPN until company B takes over their own affairs and make them deal with it themselves.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    That should be easy to resolve them, show them the whitepapers on AD design best practices and remind them that it's usually best to have a seperate domain name for the forest (domain.private or what have you). That way you prevent split DNS etc.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    That should be easy to resolve them, show them the whitepapers on AD design best practices and remind them that it's usually best to have a seperate domain name for the forest (domain.private or what have you). That way you prevent split DNS etc.

    astors

    I agree with this. This I understand weird. wonder why they would want that? doesnt make sense...engineers should use the SECURITY word and tell them it is unsecure!
Sign In or Register to comment.