Background and needs:
A client company, corp-A, recently acquired company corp-B. Currently, both companies have their own independent ADs, with domain names corp-A.com and corp-B.com respectively. In the future, corp-A needs to be managed in a unified manner.
demand analysis:
According to the user's preliminary description, I personally understand that the direction that needs to be realized in the future is roughly as follows
- The administrator of Corp-A needs to manage the entire organizational directory, GPO, etc. on the same AD server
- Some resources of Corp-A and Corp-B need mutual access and trust, such as DNS records, GPO, etc.
- It is necessary to make changes to the structure of Corp-B and achieve zero perception for end users as much as possible
Program idea:
I haven't touched the AD architecture for a long time. Based on the memory of n years ago, the general direction is as follows:
- Realize mutual domain trust relationship between two sets of AD
- Create a new Corp-B as a subdomain of Corp-A, and import the AD organizational structure and configuration into the new AD
- Directly move Corp-B from the original Forest to Corp-A's Forest and change it to a subdomain (to be confirmed)
First simply prepare a test environment for related tests:
Overview of the test environment:
| Host | IP | Comment |
|---|---|---|
| RSDCA.corp-A.com | 10.20.30.101 | Domain level Server2016 |
| RSDCB.corp-B.com | 10.20.30.102 | Domain level Server2016 |
| DESKTOP-TEST.corp-B.com | DHCP | B company domain member computer |
Screenshot:
Test process (environment construction process omitted):
Domain trust scheme:
Open the DNS manager, open the current domain, forward the lookup zone, right-click the domain name corp-A.com, properties, and change the dynamic update to non-secure on the regular page , to accept any secure and non-secure sources
On the zone transfer page, select Allow zone transfer, and add RSDCB’s IP to the allowed server list.
After completion, right-click the forward lookup domain and create a new zone.
Select the auxiliary zone
and enter another one according to the wizard Add the IP address of RSDCB to the domain name corp-B.com
and complete the
addition. After adding the area, right-click the newly created area and select Transfer from the main server.
After completing the above configuration, you can ping the domain name of corp-B from the AD of corp-A
. Perform the same operation on the AD (RSDCB) of corp-B.
Finally, the two domain names can be pinged at the same time on the client to realize cross-forest DNS
mutual access
. In the relationship, right-click the current domain name, properties, and create a new trust in the trust interface. Enter
the domain name of corp-B.com according to the wizard,
select domain trust,
select non-transferable,
and trust direction select
two-way.
The wizard
confirms the trust relationship, and at the same time the other one performs the same configuration, the configuration is complete.
Both domains can read, manage and visit each other at the same time
Domain user migration scenario (tested in the next article)
Precautions:
- The mutual migration and trust actions involved in this article are based on the same domain level. Different domain levels are only for reference. It is recommended to upgrade the domain level first.
- The network environment of the test environment is single, and the actual production environment needs to confirm that the route at the network level is reachable, and the release of some ports at the security level
- The actual production environment must have a backup and rollback plan!
- Time is limited, many functions have not been further tested, and will be summarized after the actual production environment is implemented later