2

We have a somewhat screwed-up AD domain structure. At some point in the past, Domain A was the parent to Domain B. We have two locations, so I believe previous IT staff set up the remote location as a child of our existing domain. At some point before I worked here, there was a serious problem with network and whatever consultant was brought in to fix things wound up changing things around so that Domain B is now the parent of Domain A. I really don't know more detail than that, but this is what I've been told.

At a later point, but also before I worked here, the IT admin at the time created a new domain in a new forest, thinking that we needed to start fresh. The problem was that there were, in his words, screwed-up permissions due to the parent/child switcheroo. (A big part of our problem is that, although we do pretty well managing the network, neither he nor I is an AD expert.)

A big piece of this migration, which has been going on for quite a while now, is moving Exchange into the new domain. This would involve cross-forest migration of all mailboxes (~180 users), and is not for the faint of heart, from what I understand. Particularly since downtime is absolutely not an option.

A consultant that we hired to help with the Exchange migration got seemingly nowhere after 6 months, so we found someone else, who seems a lot more qualified. This new consultant says that, although we can migrate to a new forest, it's a much bigger deal, more expensive, and will take more time. His suggestion is to do a domain rename instead.

As we evaluate our options, I'm looking for advice from other experts out there. Does what this new guy says sound reasonable? Is it wiser for us to consider a (supposedly less expensive and easier) domain renaming process of our two current "old" domains rather than migrating everything to our new domain in a forest? Thanks in advance.

johnnyb10
  • 655
  • 4
  • 13
  • 28
  • I feel for you. You're in a bad situation. Be sure to cross all your Ts and dot all your Is so you don't get burned. – Chris S Aug 17 '10 at 20:54
  • 2
    Shameless business solicitation: That $30K price you were quoted (per your comments below) sounds outrageous (unless I'm missing understanding some mitigating circumstances). You don't mention where in the world you are in your profile, but I'd certainly be interested in giving you an opinion "on spec" if you're interested in discussing it further. My Server Fault profile has a link to my company's web site w/ telephone and email contact information. – Evan Anderson Aug 17 '10 at 21:35

2 Answers2

8

I'm really concerned with how the previous consultant switched the forest root and a subdomain's roles. That really shouldn't be possible, and I've got a funny feeling they pulled some "unsupported" black magic.

If that's the case, I'd opt for migrating to a new forest/domain(s) and scrap the existing; as $DEITY only knows what else is lurking in that schema. It involves more work; but it's not that much more and 180 mailboxes doesn't sound like a lot (without knowing how large they are).

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Thanks for your response. The mailboxes are large - many over 2 GB and a few as large as 8 GB. The new consultant says that he's poked around in our exisiting domain structure and nothing really looks "broken". He seems to think that the risk and expense of migrating to a brand new forest is significant and that usually it's only done in cases where, say, one organization acquires another and needs to fold it in to their existing forest. – johnnyb10 Aug 17 '10 at 19:46
  • 3
    Agreed, as soon as I read "Domain B is now the parent of Domain A" I felt just BAD. – Massimo Aug 17 '10 at 19:46
  • @johnnyb10, I don't see where a forest migration is "risky", but is it complicated and your situation definitely requires someone with experience and attention to detail. I personally would feel extremely uncomfortable working on your system after someone switched the the forest root. Perhaps Evan will weigh in, he's got more experience in these odd AD cases. – Chris S Aug 17 '10 at 19:54
  • 1
    If you start over and build it right, you'll pay for it once. With the rename, you STILL might end up having to pay for the other option, if things don't go well. Sounds like you've already paid for this once with no good result - I'd opt for a healthy AD. – Kara Marfia Aug 17 '10 at 19:54
  • I'm with Chris S on this one. Who knows what else lurks in the deep recesses of your current domain? It may be more work to migrate to a new domain but I don't see it as inherently risky. Make sure you've got good backups of your data, export your mailboxes, document as best you can the existing applications and dependencies, file structure, etc. – joeqwerty Aug 17 '10 at 19:58
  • Great feedback all; thanks. I guess at this point, given the significant cost difference, why wouldn't we do a rename, if it really is quicker and less risky? (We were quoted around $30k to do the migration; no price yet on the rename, but it supposed to be a lot less.) As it is, we're not sure management will swallow $30k, so if we can pay less and wind up in the same place, that's what we need to do. But it sounds like you're all thinking we won't necessarily wind up in the same place. What things could be "lurking in deep recesses" that wouldn't be obvious to the consultant now? – johnnyb10 Aug 17 '10 at 20:17
  • @johnyb10; I don't suppose by some good graces your environment is primarily virtualized where you can clone machines and 'try before you buy'? – Chris S Aug 17 '10 at 20:39
  • 1
    our MS field tech said that if we ever felt the need to rename our domain, we were to call him so that he could talk us out of doing it. – johnh Aug 17 '10 at 20:41
  • 1
    There are too many unanswered questions here for me to feel comfortable making any recommendation. If there was "unsupported black magic" occurring in the past then I'd be leery of moving forward with that database. Having said that, my gut says that the "parent / child switch" probably amounted to a move of objects from one domain to the other (possibly poorly executed). Domain rename is perfectly feasible if you approach it methodically and proceed carefully. If you're unsure it's going to work, mock it up in a lab of VMs first. – Evan Anderson Aug 17 '10 at 21:12
  • The only real "risks" in a migration are insufficient resources to do it properly (taken to extreme, you could migrate to wholly new servers with little real risks, for example) and inexperienced people doing the migration. It might be a lot of work but that's all there is. – Rob Moir Aug 17 '10 at 21:13
  • 1
    What's the cost / benefit of investigating the "cheaper solution" versus just spending the money on the more expensive solution? If you can get somebody to spend 10 hours at, say, $200.00 / hr mocking it up and testing it, and you end up "saving" $20K in additional costs because the domain rename scenario works out then it's a net win. (In the end, I tend to think that this is probably a fairly straightfoward scenario surrounded in the "fog" of lack of information because time has passed since the various "consultants" did their (presumably vaguely documented) work. – Evan Anderson Aug 17 '10 at 21:14
  • 1
    @Robert Moir: I'd say a "risk" would be "Oh, crap-- we didn't do our homework and we did this and now Microsoft says we're in an "unsupported" configuration." – Evan Anderson Aug 17 '10 at 21:15
2

Which version of Exchange? If anything later than 2003, renaming the domain(s) is definitely not supported.

Also, why exactly would you want to rename it/them? I don't think that would only be a cosmetic change, so what do you want to accomplish exactly? Switch the two domains back again (the horror, the horror)?

I strongly suggest starting with a fresh domain, too. Your situation looks WAY too much compromised to be stable in the long term.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Also, moving live mailboxes around is child's play with Exchange 07+, that definitely shouldn't influence anything. – Kara Marfia Aug 17 '10 at 19:55
  • We are using Exchange 2003. The idea behind renaming is to get us back to one single domain. So we'd move stuff from the child to the parent (or vice-versa? I'm not sure) and then rename it as one domain. @Kara: Should we consider upgrading to Exchange 2007 first, in order to make the migration easier? We were thinking that we should wait until we have our domain structure sorted out before we do that. – johnnyb10 Aug 17 '10 at 20:11
  • Ouch, yes, I'd opt for getting exchange on an already-healthy AD, too. I was hoping you were on 07 already. Not sure you're going to be able to avoid some form of downtime with 03 - that may be why the consultant is favoring the rename? @Evan Anderson - good to know this is a terrible idea, I knew you'd show up and clear this up! – Kara Marfia Aug 17 '10 at 20:21
  • 1
    @Kara Marfia: DNS domain rename isn't supported in an Exchange 2007 or 2010 environment. If the poster upgrades his Exchange infrastructure he'll be shut-out of any future domain rename possibilities. See: http://technet.microsoft.com/en-us/library/cc816848(WS.10).aspx – Evan Anderson Aug 17 '10 at 21:17
  • Thanks again for the help everyone. I have some more info. We had a call with the consultant again and, based on more poking around on his end--including the realization that we've already moved our workstations over to the new domain--he said that the rename is probably not a good option at this point. He said our best bet might be to move to the new domain after all, but he suggested we upgrade to Exchange 2007 first, as that will make it easier. Do others agree that this will help? If so, can you briefly explain why? I guess the plan would be that, after doing that, we'd use the ADMT. – johnnyb10 Aug 20 '10 at 12:38
  • My partner in IT also thought that we might be able to use the Interorg Replication Tool to allow us to set up users in both domains (actually, each user in one domain would have a linked contact in the other) to allow us to migrate mailboxes on our own schedule from one domain to the other, resulting in essentially no downtime. See: http://technet.microsoft.com/en-us/library/aa996010(EXCHG.80).aspx for the description. Does anyone have any experience with this or thoughts re: feasibilty? Thanks. – johnnyb10 Aug 20 '10 at 12:42
  • The InterOrg Replication Tool only exists in Exchange 2003; you need other tools to have two Exchange 2007 organizations interoperate. Anyway, I think it's better if you stick with Exchange 2003: what's the point in migrating it if you're going to dismiss it anyway? Also, a migration could very well fail, given the current state of your Exchange 2003 system. – Massimo Aug 20 '10 at 12:50