Overlapping networks / Active Directory interforest migration

Hämäläinen, Teijo 81 Reputation points
2021-11-23T12:55:19.42+00:00

We are about to begin inteforest Active Directory migration.

Both Forests are single-domain, all Domain Controllers on both domains are running Windows Server 2019. Source domain has 3000 AD user accounts, hundreds of domain-joined servers, 15000 AD security groups.

Our plan in nutshell:

Setup DNS name resolution cross domains
Setup two-way Forest Trust
Install ADMT server on target domain
create new AD user accounts in target domain in advance and migrate mailboxes
Merge SID history of source domain user accounts to user accounts in target domain
Migrate all security groups
Migrate all servers
Workstations will be re-imaged and not migrated
Decommission source domain

Problem:

We now know that several IP subnets overlap between companies. Telecom team plans to resolve this by using NAT firewall between company networks. Microsoft does not recommend using NAT.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/support-for-active-directory-over-nat

Telecom team don't accept idea of start changing IP addresses to make NAT option un-needed :)

Initial workaround is to deploy one (or more) target Domain Controller to source domain network and connect it to rest of DCs using VPN tunnel. But I guess that requires to install 2nd NIC on Domain Controllers.

I have never faced scenario where network between source and target domain overlap. How have you managed similar this kind of situation?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,898 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
439 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Anonymous
    2021-11-23T13:50:24.633+00:00

    But I guess that requires to install 2nd NIC on Domain Controllers.

    Multihoming a domain controller will always cause no end to grief for active directory DNS

    0 comments No comments

  2. Hämäläinen, Teijo 81 Reputation points
    2021-11-24T08:06:40.687+00:00

    Thanks Dave. I know multihome DC is not a good idea. But I would like to know more what are real life problems that may occur during AD migration if NAT is used between networks.

    I suspect that NAT may affect negative to client computers when they attempt to access server resources in other domain.

    0 comments No comments

  3. Gary Reynolds 9,591 Reputation points
    2021-11-24T19:11:32.583+00:00

    Hi @Anonymous

    It is possible to use NAT to complete a migration, I've done a few, they are just a little more complicated. The main issue you have to overcome is naming resolution and making sure that DNS requests between domains resolves to the correct NAT'd address.

    The best way to achieve this is to use a single crossing point between domain, if your ADs are geo-diverse, you will have to route all DNS traffic back to a single site. You will need both NAT and DNS rewrite to support this, most enterprise grade firewall support these features. If not there are a few Linux service that can do this as well.

    As for your approach, it looks ok but I'm not a fan of using SID history. I can't remember how many domains I've look at where SID history still exists years after the migration has been completed. The main reason SID history remains in place, is that the removal of SID history is usually the last task to be completed, and as a result it doesn't happen because the project runs out of time, money, or fear that things will break once SID history is removed. SID History hides problems with permissions that have not been remediated, and you only find these once you remove SID history. My suggest would be to invest the time up front to remediate the permissions between domains, then test access as part of your pilot migrations. Yes this will take more time up front however, you will be able to identify and fix issues as they happen, rather than the big bang approach when you remove SID history.

    Gary.


  4. Limitless Technology 39,811 Reputation points
    2021-12-15T17:24:59.607+00:00

    I suppose you can map network 1 and network 2 IP ranges to a virtual IP range and sort this out.


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.