Forest Root Domain Location??

[Guest]

Hey guys, let me lay a little ground work on this so you can give your ideas.

I was hired to help a company migrate from NT 4.0/Exchange 5.5 to Windows 2000/Exchange 2000. This company is spread out over three sites, each site being it's own NT 4.0 style domain with it's own exchange server. All the NT 4.0 domains have trusts built between them and the Exchange 5.5 systems in all three domains are part of the single exchange organization for the entire company. The three sites are Los Angeles, Whales, and Houston with Los Angeles being the largest and main corporate site. Whales and Houston have people who run IT, but generally they do day to day and escalate to us in LA if they get in over their head.

So, the easiest thing to do is to to upgrade one of the domains and make the other two child domains. That way I don't have to merge any accounts and since the administrative model is distributed to the three sites already, it makes sense to make each site a domain to allow them to have complete administrative control (after all, I don't want to add more than I have to to my plate when their quite capable of handleing it).

OK, so here's the sticky part. The IT team in Whales took it upon themselves to upgragde their NT 4.0 domain to Windows 2000 Active Directory. That makes it a little more complicated because now I have a forest root domain already established in Wales..it's our smallest site (bout 200 users). So let me share my instincts..my instincts say that the Forest root domain should be at the main site in Los Angeles and that I should take the pain to merge the two forests together later OR I could make the LA office a child domain of the one in Whales. Technically, I can't think of any reason why I shouldn't just make LA a child..but something just doesn't seem right. For example, I want the forest wide operations master roles to be where I can get to them no matter what (LA). Can you even transfer the Forest Wide roles to a child domain? or do they have to stay in the Forest root domain? I have never tried to move them out of the root domain, so I'm not even sure it's possible. Anybody have any ideas at all about this? Any gotcha's I should be aware of? Or maybe you can think of some non-technical issues that could bite me later? Any ideas or thoughts would be greatly appreciated.

Sorry about thelong post, just trying to be thourough so you can have all the facts.

 

[Michael Holzemer]

Hey guys, let me lay a little ground work on this so you can give
your ideas.

I was hired to help a company migrate from NT 4.0/Exchange 5.5 to
Windows 2000/Exchange 2000. This company is spread out over three
sites, each site being it's own NT 4.0 style domain with it's own
exchange server. All the NT 4.0 domains have trusts built between
them and the Exchange 5.5 systems in all three domains are part of
the single exchange organization for the entire company. The three
sites are Los Angeles, Whales, and Houston with Los Angeles being the
largest and main corporate site. Whales and Houston have people who
run IT, but generally they do day to day and escalate to us in LA if
they get in over their head.

So, the easiest thing to do is to to upgrade one of the domains and
make the other two child domains. That way I don't have to merge any
accounts and since the administrative model is distributed to the
three sites already, it makes sense to make each site a domain to
allow them to have complete administrative control (after all, I
don't want to add more than I have to to my plate when their quite
capable of handleing it).

OK, so here's the sticky part. The IT team in Whales took it upon
themselves to upgragde their NT 4.0 domain to Windows 2000 Active
Directory. That makes it a little more complicated because now I have
a forest root domain already established in Wales..it's our smallest
site (bout 200 users). So let me share my instincts..my instincts say
that the Forest root domain should be at the main site in Los Angeles
and that I should take the pain to merge the two forests together
later OR I could make the LA office a child domain of the one in
Whales. Technically, I can't think of any reason why I shouldn't just
make LA a child..but something just doesn't seem right. For example,
I want the forest wide operations master roles to be where I can get
to them no matter what (LA). Can you even transfer the Forest Wide
roles to a child domain? or do they have to stay in the Forest root
domain? I have never tried to move them out of the root domain, so
I'm not even sure it's possible. Anybody have any ideas at all about
this? Any gotcha's I should be aware of? Or maybe you can think of
some non-technical issues that could bite me later? Any ideas or
thoughts would be greatly appreciated.

Sorry about thelong post, just trying to be thourough so you can have
all the facts.

http://www.microsoft.com/technet/tr...dows2000serv/reskit/deploy/part3/chapt-10.asp

You may want to consider making the domains 3 trees in one forest and then
making L.A. the forest root. This is off the top of my head and may not be
the best answer.
--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Guest]

Intresting idea. Honestly, in a Windows 2000 domain, I wasn't even aware that you could transfer the forest root to a different domain. Does that simply involve transferring the forest wide FSMO roles to the domain I want to be the root??

 

[Michael Holzemer]

Intresting idea. Honestly, in a Windows 2000 domain, I wasn't even
aware that you could transfer the forest root to a different domain.
Does that simply involve transferring the forest wide FSMO roles to
the domain I want to be the root??

I believe it is that simple, because there is only one Schema master and one
Domain naming master per forest. Based on the documentation I have read I
see no caveats to moving these roles. Someone here will likely have more to
add and maybe a perfect solution for you.

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Herb Martin]

OK, so here's the sticky part. The IT team in Whales took it upon
themselves to upgrade their NT 4.0 domain to Windows 2000 Active Directory.
That makes it a little more complicated because now I have a forest root
domain already established in Wales..it's our smallest site (bout 200
users). So let me share my instincts..my instincts say that the Forest root
domain should be at the main site in Los Angeles and that I

You have three basic choices:
(Migrate ), destroy and rebuild the Wales domain in the correct forest
Leave it separate (or worse: add other domains to the existing Wales
forest -- UGGH)
Move to Windows 2003 and use Forest trusts (you could just use "external
trusts" in Win2000)

The first is usually the right answer.

--
Herb Martin

Hey guys, let me lay a little ground work on this so you can give your ideas.

I was hired to help a company migrate from NT 4.0/Exchange 5.5 to Windows

2000/Exchange 2000. This company is spread out over three sites, each site
being it's own NT 4.0 style domain with it's own exchange server. All the NT
4.0 domains have trusts built between them and the Exchange 5.5 systems in
all three domains are part of the single exchange organization for the
entire company. The three sites are Los Angeles, Whales, and Houston with
Los Angeles being the largest and main corporate site. Whales and Houston
have people who run IT, but generally they do day to day and escalate to us
in LA if they get in over their head.

So, the easiest thing to do is to to upgrade one of the domains and make

the other two child domains. That way I don't have to merge any accounts and
since the administrative model is distributed to the three sites already, it
makes sense to make each site a domain to allow them to have complete
administrative control (after all, I don't want to add more than I have to
to my plate when their quite capable of handleing it).

OK, so here's the sticky part. The IT team in Whales took it upon

themselves to upgragde their NT 4.0 domain to Windows 2000 Active Directory.
That makes it a little more complicated because now I have a forest root
domain already established in Wales..it's our smallest site (bout 200
users). So let me share my instincts..my instincts say that the Forest root
domain should be at the main site in Los Angeles and that I should take the
pain to merge the two forests together later OR I could make the LA office a
child domain of the one in Whales. Technically, I can't think of any reason
why I shouldn't just make LA a child..but something just doesn't seem right.
For example, I want the forest wide operations master roles to be where I
can get to them no matter what (LA). Can you even transfer the Forest Wide
roles to a child domain? or do they have to stay in the Forest root domain?
I have never tried to move them out of the root domain, so I'm not even sure
it's possible. Anybody have any ideas at all about this? Any gotcha's I
should be aware of? Or maybe you can think of some non-technical issues that
could bite me later? Any ideas or thoughts would be greatly appreciated.

 

[Michael Holzemer]

themselves to upgrade their NT 4.0 domain to Windows 2000 Active
Directory. That makes it a little more complicated because now I have
a forest root domain already established in Wales..it's our smallest
site (bout 200 users). So let me share my instincts..my instincts say
that the Forest root domain should be at the main site in Los Angeles
and that I

You have three basic choices:
(Migrate ), destroy and rebuild the Wales domain in the correct
forest Leave it separate (or worse: add other domains to the
existing Wales
forest -- UGGH)
Move to Windows 2003 and use Forest trusts (you could just use
"external trusts" in Win2000)

The first is usually the right answer.

Just for clarity on my part, why the UGGH on multiple trees in one forest?

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Guest]

Herb

Believe me, I'm totally appreciative of the reply. But why migrate to a new domain versus something else? I really want to know what makes you say that rebuilding the whales domain to make it a child domain of my LA office is the right answer. See what I mean? (and I thought about the Windows 2003 forest rules trick, but that's going to make it even more complicated once I start adding in Exchange 2000 so I'd rather proceed with the idea of using a Single Windows 2000 server forest..just the best way to get there is the problem.)

 

[Michael Holzemer]

Herb,

Believe me, I'm totally appreciative of the reply. But why migrate
to a new domain versus something else? I really want to know what
makes you say that rebuilding the whales domain to make it a child
domain of my LA office is the right answer. See what I mean? (and I
thought about the Windows 2003 forest rules trick, but that's going
to make it even more complicated once I start adding in Exchange 2000
so I'd rather proceed with the idea of using a Single Windows 2000
server forest..just the best way to get there is the problem.)

Check this out.
http://www.microsoft.com/technet/tr.../prodtechnol/ad/windows2000/plan/w2kdomar.asp

and this
http://www.microsoft.com/technet/tr.../prodtechnol/ad/windows2000/plan/bpaddsgn.asp

from the above article:
If multiple domains are implemented as a forest, then one domain should be
identified as the Enterprise Root Domain. This is a special domain in the
Enterprise that cannot be deleted or renamed and the role cannot be
transferred.

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Joe]

I don't think Schema and domain naming master needs to
reside in root. Not sure though. As far as Exchange you
will save a lot of headaches if you make sure you have all
user accounts in one Forest before you even think about
rolling out Exchange 2000

-----Original Message-----
Hey guys, let me lay a little ground work on this so you can give your ideas.

I was hired to help a company migrate from NT

4.0/Exchange 5.5 to Windows 2000/Exchange 2000. This
company is spread out over three sites, each site being
it's own NT 4.0 style domain with it's own exchange
server. All the NT 4.0 domains have trusts built between
them and the Exchange 5.5 systems in all three domains are
part of the single exchange organization for the entire
company. The three sites are Los Angeles, Whales, and
Houston with Los Angeles being the largest and main
corporate site. Whales and Houston have people who run IT,
but generally they do day to day and escalate to us in LA
if they get in over their head.

So, the easiest thing to do is to to upgrade one of the

domains and make the other two child domains. That way I
don't have to merge any accounts and since the
administrative model is distributed to the three sites
already, it makes sense to make each site a domain to
allow them to have complete administrative control (after
all, I don't want to add more than I have to to my plate
when their quite capable of handleing it).

OK, so here's the sticky part. The IT team in Whales took

it upon themselves to upgragde their NT 4.0 domain to
Windows 2000 Active Directory. That makes it a little more
complicated because now I have a forest root domain
already established in Wales..it's our smallest site (bout
200 users). So let me share my instincts..my instincts say
that the Forest root domain should be at the main site in
Los Angeles and that I should take the pain to merge the
two forests together later OR I could make the LA office a
child domain of the one in Whales. Technically, I can't
think of any reason why I shouldn't just make LA a
child..but something just doesn't seem right. For example,
I want the forest wide operations master roles to be where
I can get to them no matter what (LA). Can you even
transfer the Forest Wide roles to a child domain? or do
they have to stay in the Forest root domain? I have never
tried to move them out of the root domain, so I'm not even
sure it's possible. Anybody have any ideas at all about
this? Any gotcha's I should be aware of? Or maybe you can
think of some non-technical issues that could bite me
later? Any ideas or thoughts would be greatly appreciated.

 

[Enkidu]

Just for clarity on my part, why the UGGH on multiple trees in one forest?

More maintenance, more replication, more trouble, basically.

Cheers,

Cliff

 

[Enkidu]

I don't think Schema and domain naming master needs to
reside in root. Not sure though.

Yes, those have to be in the root Domain.

As far as Exchange you
will save a lot of headaches if you make sure you have all
user accounts in one Forest before you even think about
rolling out Exchange 2000
I agree.

Cheers,

Cliff

 

[Enkidu]

Sorry, Michael, the original did not reach my mailserver, so I'm
highjacking this post. My apologies.

That would be a good plan. However the admin would be simpler with a
single forest, single tree setup, with three sites. You could then use
OUs and delegate authorities to the OUs to the other sites.
Once the first Windows 2000 DC is created, it become the first DC in
the forest root. The Whales team have totally screwed it for you to
create any sort of structure.

What you could do from here is to create a new forest root in LA, and
new sites (in the LA forest root), then migrate the users from the
Whales forest to the new LA forest using one of the MS tools for the
purpose. I'd use seperate OUs for the users in each site.

Cheers,

Cliff

 

[Guest]

Here's another idea, the domain in Whales is in Mixed mode. why not revert to NT 4.0 and then repromote. I could install an NT 4.0 Domain controller (BDC), then seize the PDC role and decommision the current DC (PDC emulator). If I did that, then I wouldn't have to migrate to a new environment for that domain. Just repromote the new 4.0 PDC to windows 2000 and make it a child of the root domain in LA.

What do you think about that?

 

[David Adner]

Forest root can't be "transfered" to a different Domain.