0

We have two offices of similar size, with a single server at each. Currently users at office #2 manually VPN directly to Office #1 to access resources.

I want to replace the individual VPNs with a persistent site-to-site VPN between the two firewalls/routers, and set up domain replication between the two servers.

Here's where I am at a loss: both servers are Forest Root Domains with the same name "company.local". I've only found this thread: Active Directory - forest trust between forests with same name? - which does not have any conversation about what to do in that situation.

My goal is to have a single forest with a single domain with two sites, connected via the site-to-site VPN. Ideally I would change the domain name to "corp.company.com" from "company.local" as well, but I think that will be even harder.

Here's a breakdown of the two servers:

Office #1 running Windows Server 2016 Standard with roles:

  • ADDS (Forest Root Domain : company.local) / ADCS / DNS / DHCP / File & Storage (all of our network folders) / IIS / NPAS / Print Services / Remote Access / Remote Desktop Services

Office #2 running Windows Server 2016 Essentials with roles:

  • ADDS (Forest Root Domain : company.local) / ADCS / DNS / DHCP / File & Storage (only system folders) / IIS / IPAM / Remote Access

Both Active Directories have separate users/groups set up - users have the same domain\login\password on both.

My plan is currently this:

  1. Get the site-to-site VPN working, at which point I'm not sure what issues that will cause between the two DCs, if any.
  2. Turn on DHCP on the router
  3. Uninstall ADDS/DNS from Office #2 server
  4. Join Office #2 server to Office #1's domain
  5. Install ADDS/DNS on Office #2 server, adding as a DC in the domain in a second site
  6. Turn off DHCP on the router, re-enable on Office #2
  7. Point the two DC's to replicate from one another

My Questions:

  1. Is this plan feasible?
  2. Am I missing important steps?
  3. Will there be issues with my user profiles at site #2?
  4. Should I even attempt to change the domain from company.local to corp.company.com?

Thank you for reading. Any thoughts or direction on this will be greatly appreciated!

Rudolph561
  • 3
  • 3

1 Answers1

1

You are correct in assuming that one of the two domains needs to go; you can't create a trust between two domains with the same name.

Removing the second domain and re-purposing its server as a replica domain controller for your main domain is indeed a solution; but this will require re-joining all computers in the branch office to your domain, because even if both domains have the same name, they are definitely not the same thing; the same goes for user accounts, and thus for user profiles.

If you want to avoid re-creating all user profiles, you could perform a domain migration; but again, this is not possible between two domains with the same name.

Renaming one of the two domains can be a viable choice, but beware: this is usually a pain on almost the same level as a domain migration.

If you have a small number of users and computers in the branch office, just do as you planned: delete their domain, set up their server as a domain controller for your domain, and re-join all computers to it.

If you have lots of users, or if you absolutely need to keep their user profiles, then you should first rename one of the domains and then perform a domain migration.

If you choose to go this route, I suggest renaming their domain, which is going to be deleted after the migration; a renamed domain is more prone to issues, thus it's better to do that to the domain you are going to remove than to the one you are going to keep.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • 1
    Thank you, Massimo. We don't have many users at Office #2 at the moment, so I will just rejoin them to the domain and manually transfer their personal files. – Rudolph561 Feb 01 '19 at 13:26