Making a new AD domain out of an existing production AD on new network

By scarface29 ·
Hi. I've been browsing around here for some time and I always get good information out of here. Today I am looking for some specific help with this scenario.

I have and AD domain which we are currently hosting several applications out of. The Apps are slated to be decomissioned in 8 months. As a result I'm consolidating servers and services to a much smaller and different network. I don't want to have to recreate a different AD for this as I need to keep the user accounts intact. I also cant' just move the existing DCs as I cant move anybody over to the new network until I have the new infrastructure up and running and tested.

Can I just take one of the DCs from the existing prod AD, move it to the new network, seize all the FSMO roles and use that as my new AD? Is there a better way of doing this? Are there any particular issues I should be concerned in doing this? Any help or advise would be great.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

you don't need to create a different domain...

by CG IT In reply to Making a new AD domain ou ...

and yes you can take one of the existing DCs and use it on the test network but you don't sieze any roles.

Real question is what's your plan? if your going to create a whole new network with all new equipment, then I would plan it for a whole new addressing scheme and make the test network that subnet. also make it a site in AD when the time comes to move to the new network. As a site, you can replicate AD to the test network then just change over clients and other servers to the new subnet.

Collapse -

The plan

by scarface29 In reply to you don't need to create ...

I'm moving my applications from one IP network to another. I have several hundred users connected to those apps who are authenticated via AD. I want to be able to build out the new network with the existing AD forest so I can keep all those users objects.

Once the environment is built out, I will have users point to that new IP network while still using their original IDs and credentials. Once that is working well I will decommission the original environment.

Why don't I need to seized the FSMO roles? I thought I needed that to be able to fully manage the domain?

Collapse -

Good plan...

by bart777 In reply to The plan

You would just need to configure the router to point to the new network and have all of the users do the required testing.

Once the tests confirm the apps and servers you can transfer the FSMO roles and demote the old DCs. You would want to leave teh roles in place until the testing is complete and passes. You don't want to add another potential layer for errors to occur during the test phase.

One other thing you may want to do is setup your DHCP with short lease cycles. No more than 8 hours. That way when you are ready to kill the old network every PC will have a new address on the new network by the time they come in the next morning.

Best of luck.

Collapse -

Good tips

by scarface29 In reply to Good plan...

Thanks for the advise. Its nice to run this kind of stuff through someone else. I will definately take your advise on this stuff.

Collapse -

If you seize roles

by CG IT In reply to The plan

then the test network becomes the production network because the FSMO roles which are necessary for the AD to work are now on the test network.

If you make the test network a site in AD [it's own subnet] then when you want to change over, you can allow replication between the DCs. Then it's simply a matter of transfering roles to the new DCs, changing DNS servers and retiring old DCs.

Collapse -

exactly what I want

by scarface29 In reply to If you seize roles

That is exactly what I want. My test network to become my prod network. But I like your idea. I think I will try the route of making a site in AD and then just transferring the roles when I want to cut over.

Thanks for the help.

Collapse -

yes but a word of caution

by CG IT In reply to exactly what I want

you can make a test network a site [seperate subnet] but for the sake of testing, you can't allow traffic between the test network and your production network. They must be kept seperate. That's so something that breaks the test network isn't accidentally introducted into the production network.

suggest that you read this MS Technet article and associated articles on AD replication.

Related Discussions

Related Forums