Domain Rebuild

  • Last Post 02 March 2017
kitaab posted this 02 March 2017

We have our domain as 

Now we have a request to create an additional domain and start phasing out slowly.

So over a year all the services running in will have to be rebuild in 

During the rebuild process,  users and computers will stay in the domain until the final day .

However all servers / application servers will be build in the and eventually users in will have to to use the services from servers as the servers will be removed from

We want abc users to be able to acess resources in both abc and def domains 

however def users shouldnt be able to use services in abc domain

Communication is enabled on the network level

Q;What is the best way for us to accomplish this

Q:How can we make sure that user who want to access application form def do not face any dns resoluation issues

Q:What is the best way to clone a machine in abc and bring that up in def - in case some application server cannot be rebuild.

Order By: Standard | Newest | Votes
Parzival posted this 02 March 2017


you are basically looking at a forest migration scenario. so in your case, you'd need a forest trust between abc and def.

in the group policy of ABC computers, you can put in alternate DNS Suffixes, so, in there add If users try ping <server> all systems will initially try and then try for naming

next, when you move servers over, (using ADMT migration, or domain swap), your users will be able to connect to these servers based on the trust and their primary SID.

When you migrate users over to DEF, you will keep the SID of abc in the SidHistory field. With this field, these users are able to connect to old servers in but you will have to disable SIDHistory on the forest trust.

With regards to the rebuild, I have seen many migrations where we just flipped the domain of the server and it worked without a problem icw SID history. there are some applications that don't like this, those applications usually rely on the domain name

instead of SID for security/database user mapping. SharePoint for example, or Dynamics AX/Navision.. they will need to be rebuild completely.

basically, not something that you do overnight..



  • Liked by
  • gmondrag
kebabfest posted this 02 March 2017

Q1 just put in a 2 way trust. As long as you don't have resources using authenticated users for access then access should be restricted.Q2 put in conditional forwarders between domains and ensure dns search suffix for both domains are set on both domains Q3. Generally taking shortcuts like this will cost you in the long term. Understand the application and rebuild them for a clean build. 
BTW the logic of migrating users first then servers is generally much easier and quicker.