AD forest issue

Question

Hello Guys,

I hope everyone is safe in this pandemic situation.

My organization located in India, We have an AD forest name called "in.company.net" and Main DC located in Branch A.

Active directory users are integrated with office 365 by using the AAD tool and we don't have on-premise exchange servers. So all the mailboxes in the cloud.

My organization has 200+ USA users who already created in the "in.company.net" domain, basically, those 200 people Located in the US region, and those 200+ laptops are in the workgroup we have not added them into the domain(in.company.net) yet because we don't have a domain controller in US office.

Now my management asking us (IT TEAM) to manage those laptops (US LAPTOPS) that should be added into the domain and we should restrict the laptops using group policies as same as india.

We have a site-to-site connection to the US office from India, but if we create a child domain at the US branch, users can be logged in to the "in.company.net" domain since we have a forest name as "in.company.net".

Since the users are based out of the USA they should be logged in to the "company.net" domain or "US.company.net" domain. ("IN" should be not present as users are worked in the US branch).

To overcome this, we planned to create a tree domain called "us.company.net" and wanted to establish the Trust relationship between two domains (us.mouritech.net and incompany.net)
But again users need to be login to laptop using in.company.net\username because the USA user is already created in the "in.company.net" domain.

So the solution might be either delete the USA users in India domain and need to create new same accounts in the us.company.net domain. Or else migrate those 200+ users to the us.company.net domain.

Can we migrate these 200+ domain users to the us.company.net domain from in.company.net. If so what about the mailboxes which exist in office 365 ??

What the challenges we might face and how can we mitigate those?

Note: I know the forest name should be "company.net". but it was already created long back now I can't rename or changing it causes many issues as we have many applications are integrated with Active directory.

Answer 1

There are lots of possible ways of finding a solution to the situation you have described. Without going further into the detail, my advice to you would be to keep things simple. The creation of new forests/domains should be something you carefully consider as the administrative overhead that you will incur because of this is something that you need to be mindful of.

There may be compelling reasons that you do go down that path. For the sorts of user numbers you have described, it could be that the simplest solution is to stick with your existing single forest, single domain, and create a sound logical OU structure with an appropriate delegation model for administrative purposes.

If the domain name itself becomes that much of an issue, you could rename it altogether - something which I would recommend a thorough testing process around. You will also need to work out an effective communications strategy around what differences end-users will experience through such a change.

Food for thought