No announcement yet.

2 different AD domains, 1 physical lan

  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 different AD domains, 1 physical lan

    Hi guys,

    I find myself solving the following problem.

    1 lan 192.168.22.x
    2 AD DC2008r2, each with DNS; (call it AD1)
    everything is running fine
    dhcp is done via cisco router

    1 lan, separate from the 1st one
    1 domain controller server2003 (call it AD2)
    1 server joined to this domain (call it tfs2)
    dhcp is provided by AD2 DC2003


    I want to simplify the problem. However, I cannot get rid of the AD2 and tfs2;
    authentication on tfs2 is done via AD2 credentials

    I want to have 1 single lan, with dhcp provided by cisco router
    I want to still be able to authenticate on server tfs2 (which needs AD2 credentials);

    How should I approach this?
    my idea was:
    1) put AD2 on the same lan with AD1 ; give AD2 DC2003 + tfs server static ips
    this should work without too much hassle correct?

    2) step 2; is it possible to migrate users from AD2 DC 2003 to AD1 DC2008R2 and have authentication on TFS server still working?

    Looking forward to some replies and ideas and hope I was clear enough.
    Thank you all in advance for your support.


  • #2
    Re: 2 different AD domains, 1 physical lan

    Changing IPs on AD2 systems is not a problem. Schedule a maintenance window re-Ip
    Make sure all DNS records are updated.

    Migration from AD2 to AD1, used ADMT. Not a huge task and doable. Download the ADMT guide from MS.
    JM @ IT Training & Consulting


    • #3
      Re: 2 different AD domains, 1 physical lan

      Hi and thx for your fast reply,

      My question is, will importing users from AD2 DC2003 to AD1 DC2008R2 still allow access to TFS server? Even though TFS would be part of AD2 domain, can old AD2 users migrated to AD1 still connect to AD2?

      This is what it's yet unclear to me;

      thx in advance.


      • #4
        Re: 2 different AD domains, 1 physical lan

        Yes, one of the most important reasons too grate with ADMT is to capture the SID and store it in the sidHistory attribute. So when a user object is migrated from one domain to another, it will have two SIDs. Have the original SID is the key in maintaining access to resources in the source domain. Without it, ALL ACLs would have to be updated. You really should read over the ADMT guide. There are several steps required to get it configured. You need trusts, DNS resolution, registry edits if you'll be migrating passwords, ADMT installation, etc.
        JM @ IT Training & Consulting


        • #5
          Re: 2 different AD domains, 1 physical lan

          Also, you will no doubt have a Forest Trust in place, so will allow the authentication across both AD Forests providing you do not restrict it.