1

Wondering if anyone could offer some advice on something. I have a domain that desperately needs to be upgraded. Typically, one would add a new DC with a reduced functional level to the domain, transfer roles, remove the old DC, raise the functional level and be done with it but I am left in a situation where I cannot adprep or forestprep the existing domain controller due to ages of mismanagement and poor maintenance leaving broken/untouchable objects in AD. I have tried every fix I could find even resorting to trying to make manual changes to the AD hive. Admittedly, this is probably how my predecessor broke it in the first place :/

My alternative option is now to create a fresh, new domain as we have a small environment. What I would like to do is create a trust between the old forest and new forest (2003 R2 and 2012 R2) and use ADMT to migrate/copy users with their sIDHistory to the new domain in the new forest so everyone can just keep their existing profiles.

The problem I can't seem to climb over is how to establish the trust between the two forests without having separate networks. The new DC can see the other forest to trust it but the old DC cannot see the new forest to reciprocate the trust relationship. This might be obvious to someone accustomed to managing corporate mergers as opposed to only managing existing infrastructure. I have a feeling this has to do with advertised services/DNS but I'm probably not correct and find myself on a tangent chasing loosely related solutions.

I have also played with the idea of converting everyone's domain profiles to local profiles, joining them to the new domain and then converting their profiles back to domain profiles. Would this in effect present the same requirement of the user accounts on the new domain needing the sIDHistory?

Thank you in advance for any advice.

Bob Rosenthal
  • 11
  • 1

2 Answers2

2

There are 2 possibilities, DNS issues or firewall issues. Try changing the domain firewall on the new DC. If that fails make sure the new forest resolves properly from the old PDC emulator.

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • On the DNS front, the asker should probably manually add forward lookup zones in each domain for the other domain, with (same as parent folder) records pointing to the domain controllers of the other domain, if they haven't already done so. – Todd Wilcox May 20 '16 at 18:33
  • 1
    Yes, I didn't want to add a step by step guide as that's documented fairly well already – Jim B May 20 '16 at 18:39
2

AD Trusts don't have any direct relationship to networks or subnets. Your problem is more than likely due to a lack of Conditional Forwarders or Stub Zones on one side of the proposed Trust. In each domain you need to configure Conditional Forwarders or Stub Zones) for the other domain that directs DNS queries for that domain to the DNS servers for that domain. It sounds like you're missing those on one side.

To clarify a few statments you made:

add a new DC with a reduced functional level to the domain - Domain Controllers don't themselves have functional levels. There is a DFL (Domain Functional Level) and a FFL (Forest Functional Level), but Domain Controllers don't have functional levels.

I have tried every fix I could find even resorting to trying to make manual changes to the AD hive - AD isn't referred to as a hive. People aren't going to know what you're talking about if you refer to it as a hive. Active Directory is a database comprised of multiple partitions.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171