Domain Controller Cross Forest migration Part 2
Mohammed Hamada 4:35 AM Active Directory , Windows Migration , Windows Server
Current environment on the LAB.com DC
- Additional DC2
- SCVMM
- SCVMM SQL
- Exchange
- SCMM
- SCMM SQL
Computers
![clip_image001[7]](http://lh3.googleusercontent.com/-jUR4i3662kY/VUips4Fp8_I/AAAAAAAAOdE/nWFdsqp9gio/s1600-h/clip_image001%25255B7%25255D%25255B4%25255D.png)
Migration plan
AD 2012 R2 (LAB.com) to (Contoso.com) 2012 R2.
Users
![clip_image002[6]](http://lh3.googleusercontent.com/-cGUjb6Glxuc/VUipvBS7M3I/AAAAAAAAOdU/-ztAr98K_Jg/s1600-h/clip_image002%25255B6%25255D%25255B4%25255D.png)
In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)
NOTE:
SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.
Requirements are :
Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work
![clip_image002[4]](http://lh3.googleusercontent.com/-HinCnqzNgD4/VUip2d_65vI/AAAAAAAAOdk/naMQT-39LJQ/s1600-h/clip_image002%25255B4%25255D%25255B4%25255D.png)
And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC.. PDC, SchemaMaster..etc
The checks I will perform are
- Check replication (In case there’s more than one DC In the source forest).
- DC health (DCDiag tool)
- Check the reachability of the PDC.
Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)
![clip_image001[5]](http://lh3.googleusercontent.com/-D62bTSy6s3g/VUip4OocCOI/AAAAAAAAOd0/5joXBw72HSc/s1600-h/clip_image001%25255B5%25255D%25255B2%25255D.png)
1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.
Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.
2- Check DC health using DCDIAG tool
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting
https://technet.microsoft.com/en-us/library/cc731968.aspx
as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.
If the DNS is healthy then it should show as following. and we can continue to the next test.
For an extensive test, you can use the parameter /v along with this sign >c:\dcdiag.txt to export the test to a file and look at it line by line.
If everything sounds good and healthy we shall move on to the next step which is DNS configuration
DNS Configuration
Preparation:
- DNS replication between both domains
- Installing Windows 2008 R2 for ADMT 3.2
- Setting up domain trust between forests.
- DNS replication between the source and target domain
In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.
In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.
Note:
You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.
![clip_image003[7]](http://lh3.googleusercontent.com/-WLSZ5LO3CmE/VUiqFZF3Z6I/AAAAAAAAOfE/vgM7nU2XxE0/s1600-h/clip_image003%25255B7%25255D%25255B3%25255D.png)
Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.
![clip_image004[7]](http://lh3.googleusercontent.com/-5LyS38qnXIE/VUiqIxvoFyI/AAAAAAAAOfU/O5dDz0-ZkSQ/s1600-h/clip_image004%25255B7%25255D%25255B3%25255D.png)
Same will be done on the destination server.
![clip_image005[7]](http://lh3.googleusercontent.com/-ydzGudpCVJM/VUiqMGO5nhI/AAAAAAAAOfk/vZ5V5XGnAsg/s1600-h/clip_image005%25255B7%25255D%25255B3%25255D.png)
Checking Name Resolution for both domains:
![clip_image006[7]](http://lh3.googleusercontent.com/-lktGGTPu_GM/VUiqP_l4NhI/AAAAAAAAOf0/QKvgeuHONrg/s1600-h/clip_image006%25255B7%25255D%25255B3%25255D.png)
Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.
Creating Forest trust between Source and Destination Domain.
NOTE:
In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.
1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.
![clip_image011[4]](http://lh3.googleusercontent.com/-q5FwrV3qHSA/VUiqSWxcu4I/AAAAAAAAOgE/wU1ovPIjIGI/s1600-h/clip_image011%25255B4%25255D%25255B2%25255D.png)
![clip_image012[4]](http://lh3.googleusercontent.com/-YiVGSQNFWnA/VUiqUbAc7vI/AAAAAAAAOgU/ni-2t6ik-Ns/s1600-h/clip_image012%25255B4%25255D%25255B2%25255D.png)
![clip_image013[4]](http://lh3.googleusercontent.com/-MTgEmtsoyUE/VUiqWKTnDuI/AAAAAAAAOgk/hlrItpMmUO4/s1600-h/clip_image013%25255B4%25255D%25255B2%25255D.png)
![clip_image014[4]](http://lh3.googleusercontent.com/-qjLdS6BdrZw/VUiqYBOmDuI/AAAAAAAAOg0/vqgaGgX4kKQ/s1600-h/clip_image014%25255B4%25255D%25255B2%25255D.png)
![clip_image015[4]](http://lh3.googleusercontent.com/-9nTIQUlUnTo/VUiqaNd2III/AAAAAAAAOhE/a6Fb-jk4DIc/s1600-h/clip_image015%25255B4%25255D%25255B2%25255D.png)
![clip_image016[4]](http://lh3.googleusercontent.com/-4zVMH637p-U/VUiqcsF-rzI/AAAAAAAAOhU/_mvUWDS0KZA/s1600-h/clip_image016%25255B4%25255D%25255B2%25255D.png)
![clip_image017[4]](http://lh3.googleusercontent.com/-lBlogjr-VvE/VUiqe7bKJSI/AAAAAAAAOhk/mj4fUg9Ks7E/s1600-h/clip_image017%25255B4%25255D%25255B2%25255D.png)
![clip_image018[4]](http://lh3.googleusercontent.com/-2NY2kxh0nP0/VUiqhCNw8SI/AAAAAAAAOh0/TFIgkvM681A/s1600-h/clip_image018%25255B4%25255D%25255B2%25255D.png)
![clip_image019[4]](http://lh3.googleusercontent.com/-N2GKNk5qqEU/VUiqjo3D9BI/AAAAAAAAOiE/kIlNVqRGzvM/s1600-h/clip_image019%25255B4%25255D%25255B2%25255D.png)
![clip_image020[4]](http://lh3.googleusercontent.com/-nIdBCp_55fs/VUiqlaOYvTI/AAAAAAAAOiU/1pNVsK9Ethg/s1600-h/clip_image020%25255B4%25255D%25255B2%25255D.png)
![clip_image021[4]](http://lh3.googleusercontent.com/-vXT8BwpFFhk/VUiqnoFc2DI/AAAAAAAAOik/QzhdrOEazqA/s1600-h/clip_image021%25255B4%25255D%25255B2%25255D.png)
![clip_image022[4]](http://lh3.googleusercontent.com/-YLr-tPjl7lU/VUiqpjEa0fI/AAAAAAAAOi0/QOAhzdbkWEA/s1600-h/clip_image022%25255B4%25255D%25255B2%25255D.png)
![clip_image023[4]](http://lh3.googleusercontent.com/-xrzjpZACKDU/VUiqrcVNQqI/AAAAAAAAOjE/qRGfnmYT_Nw/s1600-h/clip_image023%25255B4%25255D%25255B2%25255D.png)
![clip_image024[4]](http://lh3.googleusercontent.com/-oF1vvNOAuGs/VUiqtdETDuI/AAAAAAAAOjU/YwKezARopbY/s1600-h/clip_image024%25255B4%25255D%25255B2%25255D.png)
We will have to validate trust after creating it to make sure that trust in both ways are validated.
![clip_image025[4]](http://lh3.googleusercontent.com/-OQYL-maYY9Y/VUiqvSsxzeI/AAAAAAAAOjk/kSNvvypQG00/s1600-h/clip_image025%25255B4%25255D%25255B2%25255D.png)
![clip_image026[4]](http://lh3.googleusercontent.com/-JLF040Ut4kg/VUiqxY4stkI/AAAAAAAAOj0/3i3eqWKEmAY/s1600-h/clip_image026%25255B4%25255D%25255B2%25255D.png)
![clip_image027[4]](http://lh3.googleusercontent.com/-pdl5wGq-HOs/VUiqzZc5HvI/AAAAAAAAOkE/IDfZOIB1L78/s1600-h/clip_image027%25255B4%25255D%25255B2%25255D.png)
Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.
Updating DNS Suffix Search list:
DNS suffix search list:
In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)
![clip_image028[4]](http://lh3.googleusercontent.com/-lgx1-C1hcos/VUiq1aVu0nI/AAAAAAAAOkU/-SfJOZ662Iw/s1600-h/clip_image028%25255B4%25255D%25255B2%25255D.png)
On the target domain (contoso.com) we’ll have to open GPO .
Right Click on default domain policy / Edit
![clip_image029[4]](http://lh3.googleusercontent.com/-IAiLTjEdG64/VUiq3TvDkcI/AAAAAAAAOkk/v4Jngn3Mkgs/s1600-h/clip_image029%25255B4%25255D%25255B2%25255D.png)
Go to (Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS client
Double click on the DNS Suffix Search list to open it and enable it.
![clip_image031[4]](http://lh3.googleusercontent.com/-E5d1WbJNx8o/VUiq6IwZO7I/AAAAAAAAOk0/44kw3wZMces/s1600-h/clip_image031%25255B4%25255D%25255B2%25255D.png)
Click ok and apply the police and see how it should show in the report.
![clip_image033[4]](http://lh3.googleusercontent.com/-DPqbaN1ZHfY/VUiq_PbguRI/AAAAAAAAOlU/lbn13GmAcqE/s1600-h/clip_image033%25255B4%25255D%25255B2%25255D.png)
Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.
