Aynı network iki farklı domain?

Okay, this is a small write-up on Active Directory Migration terms as I’ve found that there’s a lot confusion on the correct terms or questions and answers on the Newsgroups or the Technet Forums when it comes to upgrading/changing/restructuring your AD design.

So let’s get started with the fact, that there are three basic types of “changes” you do in your AD infrastructure that impact domain and forest. We won’t focus on the OU and site designs for now but look at the domain and forest changes here. You can differentiate between three types here, I think:

• Upgrade domain controllers to a newer version of Windows


• Perform a intra-forest migration


• Perform a inter-forest migration

Those are the types. Here are the differences:

Upgrading domain conrollers to a newer version of Windows:

There’s a lot of confusion out there - it happens every time a new version of Windows comes up. Currently, this is with Windows Server 2008 R2. You want to upgrade your domain controllers to Windows Server 2008 R2, if they’re currently running an older version of Windows and want to use new features that come with Server 2008 R2, like the RecycleBin. You choose this option to get new features, get rid of old DCs, to replace hardware or use current hardware with new Windows versions. What you do is simple: you introduce new DCs to the domain by installing the new Windows version on a box and promote it to a DC. Like that, you increase the number of DCs for a moment. Once they’re promoted and working as DCs, you move FSMO roles and other “responsibilities” to the new DCs and remove the old ones. This usually is a multi-step process since you don’t want to promote new DCs or demote old DCs all at once - you can look at the picture above. Green DCs are introduced to the environment, red DCs are going to be demoted with the next step. Note that this is NOT a migration at all. This is what you are supposed to do when upgrading your AD - you don’t need migration tools like ADMT or Quest’s suite here. Another note: While inplace upgrades work too (slam a new Windows Server DVD into the drive and install the new Windows version over the currently running), I’m not a fan of that. A clean installation is a chance to start over and get rid of all junk that a DC lives through.

Intra-Forest migrations:

We’re getting to the ‘real’ migrations now. An intra-forest migration is a migration that happens within one forest. What you do is move objects from one domain in the forest (the source domain) to a different domain in the same forest (the target domain). While you can move objects pretty easily between OUs within a domain, it isn’t as easy with different domains. Reasons for an intra-forest migration are usually internal re-structurings, creation of new domains for new regions and locations, maybe department split-ups that need seperate IT administration due to security reasons, … and so forth. You do an intra-forest migration when the internal domain structure in Active Directory has changed. You usually need a lot of planning and training here, as with users and computers, you sometimes migrate servers there, too. You also need a set of tools, like the aforementioned ADMT (Active Directory Migration Tool). Objects are _moved_ from the source to the target domain. They exist only once before the migration, during the migration and after the migration, so you need to make sure resource access in both the source and the target domain works — but we’re getting to deep into it. There are multiple scenarios you see in the pictures below:

Inter-Forest migrations:

Inter-Forest-Migrations are what you want if the migration of objects involves domains that are in different forests. You usually go for that with mergers, split-ups, acquisitions or a start-over if something went wrong with the current forest. Sometimes, you do that to maintain a secure boundary between different departments in your organization - although it involves more cost, hardware and maintenance effort. By performing a inter-forest migration, you need forest-trusts between the source forest and the target forest. During the migration, the objects to be migrated exist twice. In the target domain as well as in the source domain. Since the two forests do not share a common SID base, security information on security principles cannot be moved as with intra-forest-migrations. That is also the reason why resource access must be carefully planned with intra-forest-migrations. Again, there are a few scenarios:

These are just example migration scenarios. The point is that you might first want to look into what your personal scenario is and then start thinking about what needs to be done. I hope this makes things clear. It took me longer to get the Visio shapes ready than writing the blog posting together… 🙂