No announcement yet.

Rebuilding AD from the ground up

  • Filter
  • Time
  • Show
Clear All
new posts

  • Rebuilding AD from the ground up

    I have recently started at a company as their Network Administrator. This company has been running for the past 9 months with only a SQL admin as their IT support. My predecessors did not believe in keeping documentation on what they did.

    From first appearances it seems that all they did was an upgrade from an NT 4 domain to 2000 AD, but it's hard to tell exactly what was done. The structure is almost impossible to centrally support, there are entries in the schema that I can't seem to get rid of permanently, and there are dozens of security groups/accounts that nobody seems to know what they are used for (but various homemade apps tend to break when they are deleted).

    We basically have 2 offices, with one DC, one SQL server, and one Exchange 2000 server in each office. Our main office hosts the root ( with all of the accounts and such for that office. Our remote office hosts the sub-domain ( and hosts all of the accounts for that office.

    I would like to rebuild this AD from the ground up so that our main office hosts the root (, with only accounts for administering the forest, and ( which will host all accounts for the company (organized by OUs). I have new hardware to replace the old DC in the main office. I need to keep the same root name as the one I currently have. I am also changing the format of userIDs (basically creating new ones for everyone).

    I'm relatively new to Active Directory myself, but am trying to learn as best I can. I was wondering if anyone has any experience with a similar setup to this. I have ideas on what I should do, but I was hoping someone may have dealt with a situation like this and could tell me if my idea is the right approach to take.

    Here's what I'm looking to do (over 1 weekend):
    1 - Export everyone's email to PST files (both sites)
    2 - Remove all PCs from the domain (both sites)
    3 - Remove all Member servers from the domain (both sites)
    4 - Remove Exchange 2000 from Exchange servers
    5 - Demote child domain DC (remote site)
    6 - Power off old DC (hosting the root), remove from network
    7 - Add new DC (hosting the root)
    8 - Add remote DC to new AD
    9 - Add all Member servers to domain (both sites)
    10 - Add all PCs to domain (both sites)
    11 - Install Exchange 2003 to Exchange Servers
    12 - Setup users on machines and export email back to Exchange servers
    13 - Take vacation!

    I plan on doing a comprehensive backup on every server before the process begins. I've already gotten all the groups and permissions that I will need to set up as well.

    Any help would be greatly appreciated.


  • #2
    Re: Rebuilding AD from the ground up

    Remember to document:
    Groups (and membership)
    Security Permissions
    OU structure
    Group Policies
    Security Policies

    Consider doing a test run first (1 DC, 1 Member Server, 1 Exchange, 1 Workstation) to check everything runs smoothly

    Backup EVERYTHING so you can roll back if you need to!

    Good Luck!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Rebuilding AD from the ground up

      How many user accounts are we talking about ?
      If you have more than several dozens, your approach is far from appropriate for this type of scenario - you are expected to break things like:
      1) users not being able to reply to previos emails from inside the Exchange organization
      2) access to files/shares will break and you will have to re-ACL everything
      3) almost all application using AD for authentication will have to be either reconfigured or re-premissioned
      4) all user profiles will become inaccesiable (will not be assosiated with new SIDs)
      5) the list goes on and on...

      btw, why do you want 2 domains in your AD ?
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"


      • #4
        Re: Rebuilding AD from the ground up

        Personally before you go through this I think you should test every thing in a lab and then proceed slowly, don't just upgrade every thing in one shot.