2 AD domains same physical switches and router ?

We are looking at merging one of our remote sites into our AD. Currently the
remote sites resources live on our parent companies domain and we access via
trusts.

What i'm after help on is the best way to do this.

I'm not really wanting to have to put static dns entries onto the client
pc's as we have quite a few laptops which means users whould have to change
these if the want to use broadband etc. Is the longterm best option to
invest in some new hardware router/firewall and keep our AD isolated?

TIA

In news:(E-Mail Removed),
news.microsoft.com <(E-Mail Removed)> typed:
> We are looking at merging one of our remote sites into our AD.
> Currently the remote sites resources live on our parent companies
> domain and we access via trusts.
>
> What i'm after help on is the best way to do this.
>
> I'm not really wanting to have to put static dns entries onto the
> client pc's as we have quite a few laptops which means users whould
> have to change these if the want to use broadband etc. Is the
> longterm best option to invest in some new hardware router/firewall
> and keep our AD isolated?
> TIA

I believe the operative term is migrate, not merge, that is if you want the
workstations and user accounts to be part of your Active Directory
infrastructure. Keep in mind, you can't just toggle a laptop from one domain
to another that easily. From your descritpiton, I am not sure if this is
your goal. Do you want to join them to your domain and leave the parent?

Also, when you say parent domain, is this an actual parent domain in the
same forest?

In an intra-forest migration, ADMT tool can migrate the user from one domain
to another as well as computer accounts. For both of these objects, it will
copy the accounts to the target domain, then delete the accounts in the
source domain. They will no longer exist in the source.

If you want to keep them in the 'parent' domain (assuming the parent is an
actual intra-forest parent domain), then all you have to do is bring the
laptops in to your network and they will easily "find" their domain
resources through your DNS servers specified in your own DHCP scope, that is
assumingly as long as your DNS infrastructure is configured and designed
properly and resolving everything properly in the forest (as it should be in
such an infrastructure) so there will be nothing to fear.

If what I posted is not what you wanted to hear, then I apologize for
misunderstanding your post. If this is the case, please reply back and
elaborate exactly as to what your intentions are, such as is this a true
migration or do you just want to allow those users to get to your resources,
their own resources, etc and is this with or without disjoining/joining your
domain?


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> In news:(E-Mail Removed),
> news.microsoft.com <(E-Mail Removed)> typed:
>> We are looking at merging one of our remote sites into our AD.
>> Currently the remote sites resources live on our parent companies
>> domain and we access via trusts.
>>
>> What i'm after help on is the best way to do this.
>>
>> I'm not really wanting to have to put static dns entries onto the
>> client pc's as we have quite a few laptops which means users whould
>> have to change these if the want to use broadband etc. Is the
>> longterm best option to invest in some new hardware router/firewall
>> and keep our AD isolated?
>> TIA
>
> I believe the operative term is migrate, not merge, that is if you want
> the workstations and user accounts to be part of your Active Directory
> infrastructure. Keep in mind, you can't just toggle a laptop from one
> domain to another that easily. From your descritpiton, I am not sure if
> this is your goal. Do you want to join them to your domain and leave the
> parent?
>
> Also, when you say parent domain, is this an actual parent domain in the
> same forest?
>
> In an intra-forest migration, ADMT tool can migrate the user from one
> domain to another as well as computer accounts. For both of these objects,
> it will copy the accounts to the target domain, then delete the accounts
> in the source domain. They will no longer exist in the source.
>
> If you want to keep them in the 'parent' domain (assuming the parent is an
> actual intra-forest parent domain), then all you have to do is bring the
> laptops in to your network and they will easily "find" their domain
> resources through your DNS servers specified in your own DHCP scope, that
> is assumingly as long as your DNS infrastructure is configured and
> designed properly and resolving everything properly in the forest (as it
> should be in such an infrastructure) so there will be nothing to fear.
>
> If what I posted is not what you wanted to hear, then I apologize for
> misunderstanding your post. If this is the case, please reply back and
> elaborate exactly as to what your intentions are, such as is this a true
> migration or do you just want to allow those users to get to your
> resources, their own resources, etc and is this with or without
> disjoining/joining your domain?
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, try using OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. Anonymous access. It's free - no username or password
> required nor do you need a Newsgroup Usenet account with your ISP. It
> connects directly to the Microsoft Public Newsgroups. OEx allows you
> o easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject. It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>

I can see why Ace's post contained a lot of questions. You seem to be a
bit confused about how this all works. What does domain membership have to
do with Internet access?


There is no real problem with having a remote site containing members of
your domain. AD was designed to handle this sort of setup. And there is no
real problem with DNS or with Internet access. The site can have its own
direct connection to the Internet and have site to site routing for
domain-related traffic. DNS can be easily handled by making the DNS servers
in both sites secondaries for the "other" site. Each site DNS server can
then resolve names of machines in either site directly. Changes to DNS at
either site will replicate to the other.

Moving the machines in a site from one domain to another is a separate
issue, as Ace has pointed out.

Thanks Guys.

I'll try to explain a little better.

The parent company in not a parent domain. we have moved away from them and
now have our own AD with sites around the world. Most of our sites are on
our hardware but we have a couple who are still piggy backpart of the other
companies domain.

At the moment our clients and servers are on our parent Companies domain. We
aim to split completely the clients and servers on this site and migrate to
ours. We are going to migrate them to our AD domain but i'm not 100% sure
what is the best way to point them to our DNS servers..

If we keep them on the parent companies physical switches our clients will
obtain their DNS server IP's. We cannot have 2 dhcp servers on the current
infrastructure, one on their domain and one on ours so I can only see 2
options. Purchase new swithces, firewall etc or put in static DNS entries
into the clients.

Hope this makes it a bit clearer.




"Bill Grant" <not.available@online> wrote in message
news:e%(E-Mail Removed)...
>
> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> In news:(E-Mail Removed),
>> news.microsoft.com <(E-Mail Removed)> typed:
>>> We are looking at merging one of our remote sites into our AD.
>>> Currently the remote sites resources live on our parent companies
>>> domain and we access via trusts.
>>>
>>> What i'm after help on is the best way to do this.
>>>
>>> I'm not really wanting to have to put static dns entries onto the
>>> client pc's as we have quite a few laptops which means users whould
>>> have to change these if the want to use broadband etc. Is the
>>> longterm best option to invest in some new hardware router/firewall
>>> and keep our AD isolated?
>>> TIA
>>
>> I believe the operative term is migrate, not merge, that is if you want
>> the workstations and user accounts to be part of your Active Directory
>> infrastructure. Keep in mind, you can't just toggle a laptop from one
>> domain to another that easily. From your descritpiton, I am not sure if
>> this is your goal. Do you want to join them to your domain and leave the
>> parent?
>>
>> Also, when you say parent domain, is this an actual parent domain in the
>> same forest?
>>
>> In an intra-forest migration, ADMT tool can migrate the user from one
>> domain to another as well as computer accounts. For both of these
>> objects, it will copy the accounts to the target domain, then delete the
>> accounts in the source domain. They will no longer exist in the source.
>>
>> If you want to keep them in the 'parent' domain (assuming the parent is
>> an actual intra-forest parent domain), then all you have to do is bring
>> the laptops in to your network and they will easily "find" their domain
>> resources through your DNS servers specified in your own DHCP scope, that
>> is assumingly as long as your DNS infrastructure is configured and
>> designed properly and resolving everything properly in the forest (as it
>> should be in such an infrastructure) so there will be nothing to fear.
>>
>> If what I posted is not what you wanted to hear, then I apologize for
>> misunderstanding your post. If this is the case, please reply back and
>> elaborate exactly as to what your intentions are, such as is this a true
>> migration or do you just want to allow those users to get to your
>> resources, their own resources, etc and is this with or without
>> disjoining/joining your domain?
>>
>>
>> --
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>> Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Infinite Diversities in Infinite Combinations
>>
>> Having difficulty reading or finding responses to your post?
>> Instead of the website you're using, try using OEx (Outlook Express
>> or any other newsreader), and configure a news account, pointing to
>> news.microsoft.com. Anonymous access. It's free - no username or password
>> required nor do you need a Newsgroup Usenet account with your ISP. It
>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>> o easily find, track threads, cross-post, sort by date, poster's name,
>> watched threads or subject. It's easy:
>>
>> How to Configure OEx for Internet News
>> http://support.microsoft.com/?id=171164
>>
>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>
>
> I can see why Ace's post contained a lot of questions. You seem to be a
> bit confused about how this all works. What does domain membership have to
> do with Internet access?
>
>
> There is no real problem with having a remote site containing members
> of your domain. AD was designed to handle this sort of setup. And there is
> no real problem with DNS or with Internet access. The site can have its
> own direct connection to the Internet and have site to site routing for
> domain-related traffic. DNS can be easily handled by making the DNS
> servers in both sites secondaries for the "other" site. Each site DNS
> server can then resolve names of machines in either site directly. Changes
> to DNS at either site will replicate to the other.
>
> Moving the machines in a site from one domain to another is a separate
> issue, as Ace has pointed out.
>

Thanks for the reply,

The only thing is that we are trying to move away from relying on the parent
companies IT so by having to utilise their DHCP we aren't achieving this.

Would we have to create a forest trust between the 2 domains in order for
dns to replicate?

"news.microsoft.com" <(E-Mail Removed)> wrote in message
news:e6GSRa%(E-Mail Removed)...
> Thanks Guys.
>
> I'll try to explain a little better.
>
> The parent company in not a parent domain. we have moved away from them
> and now have our own AD with sites around the world. Most of our sites are
> on our hardware but we have a couple who are still piggy backpart of the
> other companies domain.
>
> At the moment our clients and servers are on our parent Companies domain.
> We aim to split completely the clients and servers on this site and
> migrate to ours. We are going to migrate them to our AD domain but i'm not
> 100% sure what is the best way to point them to our DNS servers..
>
> If we keep them on the parent companies physical switches our clients will
> obtain their DNS server IP's. We cannot have 2 dhcp servers on the current
> infrastructure, one on their domain and one on ours so I can only see 2
> options. Purchase new swithces, firewall etc or put in static DNS entries
> into the clients.
>
> Hope this makes it a bit clearer.
>
>
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:e%(E-Mail Removed)...
>>
>> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> In news:(E-Mail Removed),
>>> news.microsoft.com <(E-Mail Removed)> typed:
>>>> We are looking at merging one of our remote sites into our AD.
>>>> Currently the remote sites resources live on our parent companies
>>>> domain and we access via trusts.
>>>>
>>>> What i'm after help on is the best way to do this.
>>>>
>>>> I'm not really wanting to have to put static dns entries onto the
>>>> client pc's as we have quite a few laptops which means users whould
>>>> have to change these if the want to use broadband etc. Is the
>>>> longterm best option to invest in some new hardware router/firewall
>>>> and keep our AD isolated?
>>>> TIA
>>>
>>> I believe the operative term is migrate, not merge, that is if you want
>>> the workstations and user accounts to be part of your Active Directory
>>> infrastructure. Keep in mind, you can't just toggle a laptop from one
>>> domain to another that easily. From your descritpiton, I am not sure if
>>> this is your goal. Do you want to join them to your domain and leave the
>>> parent?
>>>
>>> Also, when you say parent domain, is this an actual parent domain in the
>>> same forest?
>>>
>>> In an intra-forest migration, ADMT tool can migrate the user from one
>>> domain to another as well as computer accounts. For both of these
>>> objects, it will copy the accounts to the target domain, then delete the
>>> accounts in the source domain. They will no longer exist in the source.
>>>
>>> If you want to keep them in the 'parent' domain (assuming the parent is
>>> an actual intra-forest parent domain), then all you have to do is bring
>>> the laptops in to your network and they will easily "find" their domain
>>> resources through your DNS servers specified in your own DHCP scope,
>>> that is assumingly as long as your DNS infrastructure is configured and
>>> designed properly and resolving everything properly in the forest (as it
>>> should be in such an infrastructure) so there will be nothing to fear.
>>>
>>> If what I posted is not what you wanted to hear, then I apologize for
>>> misunderstanding your post. If this is the case, please reply back and
>>> elaborate exactly as to what your intentions are, such as is this a true
>>> migration or do you just want to allow those users to get to your
>>> resources, their own resources, etc and is this with or without
>>> disjoining/joining your domain?
>>>
>>>
>>> --
>>> Regards,
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>>> Microsoft MVP - Directory Services
>>> Microsoft Certified Trainer
>>>
>>> Infinite Diversities in Infinite Combinations
>>>
>>> Having difficulty reading or finding responses to your post?
>>> Instead of the website you're using, try using OEx (Outlook Express
>>> or any other newsreader), and configure a news account, pointing to
>>> news.microsoft.com. Anonymous access. It's free - no username or
>>> password
>>> required nor do you need a Newsgroup Usenet account with your ISP. It
>>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>>> o easily find, track threads, cross-post, sort by date, poster's name,
>>> watched threads or subject. It's easy:
>>>
>>> How to Configure OEx for Internet News
>>> http://support.microsoft.com/?id=171164
>>>
>>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>>
>>
>> I can see why Ace's post contained a lot of questions. You seem to be a
>> bit confused about how this all works. What does domain membership have
>> to do with Internet access?
>>
>>
>> There is no real problem with having a remote site containing members
>> of your domain. AD was designed to handle this sort of setup. And there
>> is no real problem with DNS or with Internet access. The site can have
>> its own direct connection to the Internet and have site to site routing
>> for domain-related traffic. DNS can be easily handled by making the DNS
>> servers in both sites secondaries for the "other" site. Each site DNS
>> server can then resolve names of machines in either site directly.
>> Changes to DNS at either site will replicate to the other.
>>
>> Moving the machines in a site from one domain to another is a separate
>> issue, as Ace has pointed out.
>>
>
>

Also.. Would we publish all dns servers in the DHCp?

"news.microsoft.com" <(E-Mail Removed)> wrote in message
news:e6GSRa%(E-Mail Removed)...
> Thanks Guys.
>
> I'll try to explain a little better.
>
> The parent company in not a parent domain. we have moved away from them
> and now have our own AD with sites around the world. Most of our sites are
> on our hardware but we have a couple who are still piggy backpart of the
> other companies domain.
>
> At the moment our clients and servers are on our parent Companies domain.
> We aim to split completely the clients and servers on this site and
> migrate to ours. We are going to migrate them to our AD domain but i'm not
> 100% sure what is the best way to point them to our DNS servers..
>
> If we keep them on the parent companies physical switches our clients will
> obtain their DNS server IP's. We cannot have 2 dhcp servers on the current
> infrastructure, one on their domain and one on ours so I can only see 2
> options. Purchase new swithces, firewall etc or put in static DNS entries
> into the clients.
>
> Hope this makes it a bit clearer.
>
>
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:e%(E-Mail Removed)...
>>
>> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> In news:(E-Mail Removed),
>>> news.microsoft.com <(E-Mail Removed)> typed:
>>>> We are looking at merging one of our remote sites into our AD.
>>>> Currently the remote sites resources live on our parent companies
>>>> domain and we access via trusts.
>>>>
>>>> What i'm after help on is the best way to do this.
>>>>
>>>> I'm not really wanting to have to put static dns entries onto the
>>>> client pc's as we have quite a few laptops which means users whould
>>>> have to change these if the want to use broadband etc. Is the
>>>> longterm best option to invest in some new hardware router/firewall
>>>> and keep our AD isolated?
>>>> TIA
>>>
>>> I believe the operative term is migrate, not merge, that is if you want
>>> the workstations and user accounts to be part of your Active Directory
>>> infrastructure. Keep in mind, you can't just toggle a laptop from one
>>> domain to another that easily. From your descritpiton, I am not sure if
>>> this is your goal. Do you want to join them to your domain and leave the
>>> parent?
>>>
>>> Also, when you say parent domain, is this an actual parent domain in the
>>> same forest?
>>>
>>> In an intra-forest migration, ADMT tool can migrate the user from one
>>> domain to another as well as computer accounts. For both of these
>>> objects, it will copy the accounts to the target domain, then delete the
>>> accounts in the source domain. They will no longer exist in the source.
>>>
>>> If you want to keep them in the 'parent' domain (assuming the parent is
>>> an actual intra-forest parent domain), then all you have to do is bring
>>> the laptops in to your network and they will easily "find" their domain
>>> resources through your DNS servers specified in your own DHCP scope,
>>> that is assumingly as long as your DNS infrastructure is configured and
>>> designed properly and resolving everything properly in the forest (as it
>>> should be in such an infrastructure) so there will be nothing to fear.
>>>
>>> If what I posted is not what you wanted to hear, then I apologize for
>>> misunderstanding your post. If this is the case, please reply back and
>>> elaborate exactly as to what your intentions are, such as is this a true
>>> migration or do you just want to allow those users to get to your
>>> resources, their own resources, etc and is this with or without
>>> disjoining/joining your domain?
>>>
>>>
>>> --
>>> Regards,
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>>> Microsoft MVP - Directory Services
>>> Microsoft Certified Trainer
>>>
>>> Infinite Diversities in Infinite Combinations
>>>
>>> Having difficulty reading or finding responses to your post?
>>> Instead of the website you're using, try using OEx (Outlook Express
>>> or any other newsreader), and configure a news account, pointing to
>>> news.microsoft.com. Anonymous access. It's free - no username or
>>> password
>>> required nor do you need a Newsgroup Usenet account with your ISP. It
>>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>>> o easily find, track threads, cross-post, sort by date, poster's name,
>>> watched threads or subject. It's easy:
>>>
>>> How to Configure OEx for Internet News
>>> http://support.microsoft.com/?id=171164
>>>
>>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>>
>>
>> I can see why Ace's post contained a lot of questions. You seem to be a
>> bit confused about how this all works. What does domain membership have
>> to do with Internet access?
>>
>>
>> There is no real problem with having a remote site containing members
>> of your domain. AD was designed to handle this sort of setup. And there
>> is no real problem with DNS or with Internet access. The site can have
>> its own direct connection to the Internet and have site to site routing
>> for domain-related traffic. DNS can be easily handled by making the DNS
>> servers in both sites secondaries for the "other" site. Each site DNS
>> server can then resolve names of machines in either site directly.
>> Changes to DNS at either site will replicate to the other.
>>
>> Moving the machines in a site from one domain to another is a separate
>> issue, as Ace has pointed out.
>>
>
>

In news:%23uSmb5%(E-Mail Removed),
news.microsoft.com <(E-Mail Removed)> typed:
> Also.. Would we publish all dns servers in the DHCp?

If you are trying to coexist, the best bet is to make secondaries of each
others' domains in each others' DNS servers. You can then choose yours or
their DNS. If it is on your physical LAN, of course I would choose yours.
You will of course have a copy of their zone so their client can find their
own resources.

And no, I wouldn't specify all DNS servers in DHCP Option 006. That is way
overkill and frankly they may never see past the first one in many cases.

Do you need a two way trust? Ask yourself if your clients are accessing
their resources and vice-versa. If yest to one or the other or both, then
that would answer that question and indicate which way to make the trust.
And Forest trusts are DNS based and must be Windows 2003 in 2003 levels.
2000 levels you are stuck with specfic domain to specific domain NetBIOS
trusts. You will need to make sure WINS is partnered with each other. A good
reason to start with for a trust anyway!

Ace

As a personal opinion, I would move them completely off the existing
network and put them on your own switch with its own IP subnet. If the
existing switch supports VLANs you could probably get the techies to set up
your machines on a VLAN, but I would look at running it on your own hardware
as an AD site with no physical connection to the existing LAN. You would
have your own DNS and your own DHCP and your own network link to the
Internet and/or other sites.

"news.microsoft.com" <(E-Mail Removed)> wrote in message
news:e6GSRa%(E-Mail Removed)...
> Thanks Guys.
>
> I'll try to explain a little better.
>
> The parent company in not a parent domain. we have moved away from them
> and now have our own AD with sites around the world. Most of our sites are
> on our hardware but we have a couple who are still piggy backpart of the
> other companies domain.
>
> At the moment our clients and servers are on our parent Companies domain.
> We aim to split completely the clients and servers on this site and
> migrate to ours. We are going to migrate them to our AD domain but i'm not
> 100% sure what is the best way to point them to our DNS servers..
>
> If we keep them on the parent companies physical switches our clients will
> obtain their DNS server IP's. We cannot have 2 dhcp servers on the current
> infrastructure, one on their domain and one on ours so I can only see 2
> options. Purchase new swithces, firewall etc or put in static DNS entries
> into the clients.
>
> Hope this makes it a bit clearer.
>
>
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:e%(E-Mail Removed)...
>>
>> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> In news:(E-Mail Removed),
>>> news.microsoft.com <(E-Mail Removed)> typed:
>>>> We are looking at merging one of our remote sites into our AD.
>>>> Currently the remote sites resources live on our parent companies
>>>> domain and we access via trusts.
>>>>
>>>> What i'm after help on is the best way to do this.
>>>>
>>>> I'm not really wanting to have to put static dns entries onto the
>>>> client pc's as we have quite a few laptops which means users whould
>>>> have to change these if the want to use broadband etc. Is the
>>>> longterm best option to invest in some new hardware router/firewall
>>>> and keep our AD isolated?
>>>> TIA
>>>
>>> I believe the operative term is migrate, not merge, that is if you want
>>> the workstations and user accounts to be part of your Active Directory
>>> infrastructure. Keep in mind, you can't just toggle a laptop from one
>>> domain to another that easily. From your descritpiton, I am not sure if
>>> this is your goal. Do you want to join them to your domain and leave the
>>> parent?
>>>
>>> Also, when you say parent domain, is this an actual parent domain in the
>>> same forest?
>>>
>>> In an intra-forest migration, ADMT tool can migrate the user from one
>>> domain to another as well as computer accounts. For both of these
>>> objects, it will copy the accounts to the target domain, then delete the
>>> accounts in the source domain. They will no longer exist in the source.
>>>
>>> If you want to keep them in the 'parent' domain (assuming the parent is
>>> an actual intra-forest parent domain), then all you have to do is bring
>>> the laptops in to your network and they will easily "find" their domain
>>> resources through your DNS servers specified in your own DHCP scope,
>>> that is assumingly as long as your DNS infrastructure is configured and
>>> designed properly and resolving everything properly in the forest (as it
>>> should be in such an infrastructure) so there will be nothing to fear.
>>>
>>> If what I posted is not what you wanted to hear, then I apologize for
>>> misunderstanding your post. If this is the case, please reply back and
>>> elaborate exactly as to what your intentions are, such as is this a true
>>> migration or do you just want to allow those users to get to your
>>> resources, their own resources, etc and is this with or without
>>> disjoining/joining your domain?
>>>
>>>
>>> --
>>> Regards,
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>>> Microsoft MVP - Directory Services
>>> Microsoft Certified Trainer
>>>
>>> Infinite Diversities in Infinite Combinations
>>>
>>> Having difficulty reading or finding responses to your post?
>>> Instead of the website you're using, try using OEx (Outlook Express
>>> or any other newsreader), and configure a news account, pointing to
>>> news.microsoft.com. Anonymous access. It's free - no username or
>>> password
>>> required nor do you need a Newsgroup Usenet account with your ISP. It
>>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>>> o easily find, track threads, cross-post, sort by date, poster's name,
>>> watched threads or subject. It's easy:
>>>
>>> How to Configure OEx for Internet News
>>> http://support.microsoft.com/?id=171164
>>>
>>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>>
>>
>> I can see why Ace's post contained a lot of questions. You seem to be a
>> bit confused about how this all works. What does domain membership have
>> to do with Internet access?
>>
>>
>> There is no real problem with having a remote site containing members
>> of your domain. AD was designed to handle this sort of setup. And there
>> is no real problem with DNS or with Internet access. The site can have
>> its own direct connection to the Internet and have site to site routing
>> for domain-related traffic. DNS can be easily handled by making the DNS
>> servers in both sites secondaries for the "other" site. Each site DNS
>> server can then resolve names of machines in either site directly.
>> Changes to DNS at either site will replicate to the other.
>>
>> Moving the machines in a site from one domain to another is a separate
>> issue, as Ace has pointed out.
>>
>
>

Thabks again guys.

I was thinking of going down the line of seperate entities as the whole
point of this migration was to move away from using any of their resources.
We are also trying to eliminate the requirements for any kind of forest
trusts.

Regards


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> As a personal opinion, I would move them completely off the existing
> network and put them on your own switch with its own IP subnet. If the
> existing switch supports VLANs you could probably get the techies to set
> up your machines on a VLAN, but I would look at running it on your own
> hardware as an AD site with no physical connection to the existing LAN.
> You would have your own DNS and your own DHCP and your own network link to
> the Internet and/or other sites.
>
> "news.microsoft.com" <(E-Mail Removed)> wrote in message
> news:e6GSRa%(E-Mail Removed)...
>> Thanks Guys.
>>
>> I'll try to explain a little better.
>>
>> The parent company in not a parent domain. we have moved away from them
>> and now have our own AD with sites around the world. Most of our sites
>> are on our hardware but we have a couple who are still piggy backpart of
>> the other companies domain.
>>
>> At the moment our clients and servers are on our parent Companies domain.
>> We aim to split completely the clients and servers on this site and
>> migrate to ours. We are going to migrate them to our AD domain but i'm
>> not 100% sure what is the best way to point them to our DNS servers..
>>
>> If we keep them on the parent companies physical switches our clients
>> will obtain their DNS server IP's. We cannot have 2 dhcp servers on the
>> current infrastructure, one on their domain and one on ours so I can only
>> see 2 options. Purchase new swithces, firewall etc or put in static DNS
>> entries into the clients.
>>
>> Hope this makes it a bit clearer.
>>
>>
>>
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:e%(E-Mail Removed)...
>>>
>>> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> In news:(E-Mail Removed),
>>>> news.microsoft.com <(E-Mail Removed)> typed:
>>>>> We are looking at merging one of our remote sites into our AD.
>>>>> Currently the remote sites resources live on our parent companies
>>>>> domain and we access via trusts.
>>>>>
>>>>> What i'm after help on is the best way to do this.
>>>>>
>>>>> I'm not really wanting to have to put static dns entries onto the
>>>>> client pc's as we have quite a few laptops which means users whould
>>>>> have to change these if the want to use broadband etc. Is the
>>>>> longterm best option to invest in some new hardware router/firewall
>>>>> and keep our AD isolated?
>>>>> TIA
>>>>
>>>> I believe the operative term is migrate, not merge, that is if you want
>>>> the workstations and user accounts to be part of your Active Directory
>>>> infrastructure. Keep in mind, you can't just toggle a laptop from one
>>>> domain to another that easily. From your descritpiton, I am not sure if
>>>> this is your goal. Do you want to join them to your domain and leave
>>>> the parent?
>>>>
>>>> Also, when you say parent domain, is this an actual parent domain in
>>>> the same forest?
>>>>
>>>> In an intra-forest migration, ADMT tool can migrate the user from one
>>>> domain to another as well as computer accounts. For both of these
>>>> objects, it will copy the accounts to the target domain, then delete
>>>> the accounts in the source domain. They will no longer exist in the
>>>> source.
>>>>
>>>> If you want to keep them in the 'parent' domain (assuming the parent is
>>>> an actual intra-forest parent domain), then all you have to do is bring
>>>> the laptops in to your network and they will easily "find" their domain
>>>> resources through your DNS servers specified in your own DHCP scope,
>>>> that is assumingly as long as your DNS infrastructure is configured and
>>>> designed properly and resolving everything properly in the forest (as
>>>> it should be in such an infrastructure) so there will be nothing to
>>>> fear.
>>>>
>>>> If what I posted is not what you wanted to hear, then I apologize for
>>>> misunderstanding your post. If this is the case, please reply back and
>>>> elaborate exactly as to what your intentions are, such as is this a
>>>> true migration or do you just want to allow those users to get to your
>>>> resources, their own resources, etc and is this with or without
>>>> disjoining/joining your domain?
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Ace
>>>>
>>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>>> confers no rights.
>>>>
>>>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>>>> Microsoft MVP - Directory Services
>>>> Microsoft Certified Trainer
>>>>
>>>> Infinite Diversities in Infinite Combinations
>>>>
>>>> Having difficulty reading or finding responses to your post?
>>>> Instead of the website you're using, try using OEx (Outlook Express
>>>> or any other newsreader), and configure a news account, pointing to
>>>> news.microsoft.com. Anonymous access. It's free - no username or
>>>> password
>>>> required nor do you need a Newsgroup Usenet account with your ISP. It
>>>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>>>> o easily find, track threads, cross-post, sort by date, poster's name,
>>>> watched threads or subject. It's easy:
>>>>
>>>> How to Configure OEx for Internet News
>>>> http://support.microsoft.com/?id=171164
>>>>
>>>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>>>
>>>
>>> I can see why Ace's post contained a lot of questions. You seem to be
>>> a bit confused about how this all works. What does domain membership
>>> have to do with Internet access?
>>>
>>>
>>> There is no real problem with having a remote site containing members
>>> of your domain. AD was designed to handle this sort of setup. And there
>>> is no real problem with DNS or with Internet access. The site can have
>>> its own direct connection to the Internet and have site to site routing
>>> for domain-related traffic. DNS can be easily handled by making the DNS
>>> servers in both sites secondaries for the "other" site. Each site DNS
>>> server can then resolve names of machines in either site directly.
>>> Changes to DNS at either site will replicate to the other.
>>>
>>> Moving the machines in a site from one domain to another is a
>>> separate issue, as Ace has pointed out.
>>>
>>
>>
>
>

In news:%(E-Mail Removed),
news.microsoft.com <(E-Mail Removed)> typed:
> Thabks again guys.
>
> I was thinking of going down the line of seperate entities as the
> whole point of this migration was to move away from using any of
> their resources. We are also trying to eliminate the requirements for
> any kind of forest trusts.
>
> Regards

At least now you have some perspective from Bill and I with what you are
facing and what to expect. Good luck with everything!

Ace