DNS & AD site considerations for creating two way trust

[gmail2]

Hi All

We're currently beginning to migrate from 2003 to 2008 R2 domain. In the interim we want to create a two way trust between the current domain and the new one.

We're also restructuring our network, so the 2008 servers are in a separate subnets to the 2003 ones (all routing is correct and confirmed OK). The trust will only be created so that we can give grant users in the new domain, permissions to resources in the current domain, and only in one site. So, my questions are:

1. In 2003, do I need to configure AD sites/subnets for the subnets that the new servers exist in ?

2. In 2003, I guess I need to create a secondary zone so that the DC in head office (where the only 2008 DC is currently located) can resolve addresses for the new domain. Will a stub zone suffice ?

3. Should I integrate the above zone into AD ? We have a number of branch offices with their own DC's, but the trust is only being created to grant permissions to resources in HQ. None the less, will the branch DC's want to be able to resolve the addresses for the 2008 domain ? And will they occasionally try to contact the 2008 DC (this is currently blocked on our firewalls)

Hope I've explained all this OK ? I did try googling this but it's mainly coming up with metadata cleanup stuff (not too sure why !)

Thanks in advance

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[pagy]

So basically the 2008 boxes are in a new domain in a new forest and you are going to migrate your users from the 'old' 2003 domain to your windows 2008 setup?? Once you've migrated you'll decommission the 2003 domain??

If so;

1. No

2. Use conditional forwarders on your current DCs for the new domain name and point the forwarder to your new 2008 DC

3. If the branch offices don't require access to resources in HQ then no. But what is your AD like in your branch office?? You say they have their own DCs, does that mean they have their own domain in each branch office??

Any reason are you migrating to W2K8 instead of upgrading your current domain????

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[TheMisio]

gmail2,

1. It’s not necessary to set up new domain’s subnets in the old domain’s Sites and Services. You will not gain any improvement.
However, if you want all requests from new domain to be forwarded to a specific Site / DC, then you may want to do so.
2. Conditional Forwarding on the DNS servers will do the job.
3. If you set up Conditional Forwarding the question will not be applicable. Please note that If any workstations / servers in branch offices will need access to resources in the new domain, you will need to open AD ports (LDAP, GC, Kerberos etc) plus any ports required to access resources (SMB, SQL etc).

Hope this helps.