Hey Tom - sounds like fun. The phrase "they are cut of from the root domain physically" combined with "both dns zones are in the root and they don't have any dns locally" sounds a bit unrealistic - this should naturally cause numerous replication issues; basically nothing should work (even normal authentication) as it all requires DNS lookup.
So I'm guessing that you do have some DNS servers in your child domains and it would be worthwhile for you to check if there are any secondary zones from the root domain (or the _msdcs subzone) being hosted on your child DCs or another DNS server used in your network. But your task doesn't seem to be fixing the current AD implementation, but rather to move away from it. DNS name-resolution is critical for any kind of trust in AD (except for trusts to NT4 domains which is not your scenario), however, you do not require EA permissions to set them up from your child domain to another domain in a new forest. But naturally you won't be able to creat a forest-trust (i.e. from root of current forest to root of new forest). The names of those domains that are directly trusted can NOT be the same (need to have different NetBios domain names). So yes, migration should work and even if you don't want to fix the current caos, you should ensure that DNS works well (in worst case concentrate on creating a workaround just for your child-domain - which should be sufficient for trust creation to your new forest where I'm sure you fully control DNS). /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Dienstag, 9. August 2005 00:09 To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
