Wondering if anyone could offer some advice on something. I have a domain that desperately needs to be upgraded. Typically, one would add a new DC with a reduced functional level to the domain, transfer roles, remove the old DC, raise the functional level and be done with it but I am left in a situation where I cannot adprep or forestprep the existing domain controller due to ages of mismanagement and poor maintenance leaving broken/untouchable objects in AD. I have tried every fix I could find even resorting to trying to make manual changes to the AD hive. Admittedly, this is probably how my predecessor broke it in the first place :/
My alternative option is now to create a fresh, new domain as we have a small environment. What I would like to do is create a trust between the old forest and new forest (2003 R2 and 2012 R2) and use ADMT to migrate/copy users with their sIDHistory to the new domain in the new forest so everyone can just keep their existing profiles.
The problem I can't seem to climb over is how to establish the trust between the two forests without having separate networks. The new DC can see the other forest to trust it but the old DC cannot see the new forest to reciprocate the trust relationship. This might be obvious to someone accustomed to managing corporate mergers as opposed to only managing existing infrastructure. I have a feeling this has to do with advertised services/DNS but I'm probably not correct and find myself on a tangent chasing loosely related solutions.
I have also played with the idea of converting everyone's domain profiles to local profiles, joining them to the new domain and then converting their profiles back to domain profiles. Would this in effect present the same requirement of the user accounts on the new domain needing the sIDHistory?
Thank you in advance for any advice.
No comments:
Post a Comment