Part 2 of this series of posts will deal with the basics, like making sure name resolution works, setting up the necessary trusts and configuring SID History and SID Filtering.
First things first. We’ll need to resolve names across our two forests, and that means setting up DNS. In my case we set up Stub Zones pointing to the separate domains, i.e. the DNS server in the olddomain.local domain had a stub zone pointing to the newdomain.local domain, and vice versa. We set it up like so:
- Open DNS Management on a DNS server in olddomain.local
- Expand Forward Lookup Zones under DNS
- Right-click Forward Lookup Zones and select New Zone
- The New Zone Wizard will appear. Click Next
- Select Stub Zone and click Next
- Select the option to store the Zone in AD
- Choose to replicate the zone to all domain controllers in olddomain.local
- Name the zone newdomain.local and click Next
- Add the IP of an DNS server authoritative for the newdomain.local domain. Select the option to “Use the above servers to create…”
- Verify your settings and click Finish to exit the wizard
In order to create a trust we will need to do the opposite on a DNS server in newdomain.local. Once done name resolution will be working across both forests.
Setting up a Forest Trust
Now we’re getting somewhere – time to set up the trust. Ensure you have administrative credentials in both domains.
- Open Active Directory Domains and Trusts in olddomain.local
- Right-click – Properties on the domain name for the forest root domain for which you want to create a trust
- On the Trusts tab, click New Trust, then click Next
- Type the DNS name (newdomain.local) of the forest root domain of the other domain. Click Next
- Select Forest on the Trust Type screen. Click Next
- Select Two-Way when prompted for the Direction of Trust
- Select “Both this domain and the specified domain” when prompted for the Sides of Trust. Click Next
- Enter the credentials for the newdomain.local domain. Click Next
- Select Forest-wide authentication. Click Next
- Confirm the trust (specify credentials when prompted)
- Click Finish to exit the Wizard
Both forests now trusts each other. Strictly speaking this is more permissive than what is required. I always do it this way to prevent chasing down possible issues and because I try and keep the co-existence phases as short as possible.
Enabling SID History / Disabling SID Filtering
This is the final part of laying the groundwork. Security principals in Active Directory have an attribute, called SID history, to which domain administrators can add users’ old security identifiers (SIDs). This is useful in our case because we then do not need to modify access control lists (ACLs) on large numbers of resources and users can use their old SIDs to access resources. We do it like so (all commands to be entered on one line from a DC in either domain):
- netdom trust newdomain.local /domain:olddomain.local /twoway /enablesidhistory:Yes /usero: olddomain\administrator /passwordo:*******
- netdom trust olddomain.local /domain:newdomain.local /twoway /enablesidhistory:Yes /usero: newdomain\administrator /passwordo:*******
This enabled SID history. Now we disable SID Filtering
- netdom trust olddomain.local /domain:newdomain.local /twoway /quarantine:no /usero:olddomain\administrator /passwordo:*******
- netdom trust newdomain.local /domain:olddomain.local /twoway /quarantine:no /usero:newdomain\administrator /passwordo:********
We have now laid the foundation for our migration. In the next post we will have a look at a couple of things, including installing ADMT and configuring the Password Export Server.