Shrinking many domains to few or one



  • OK, one of our own has a project where they are attempting to go from having 5 domains to just one. Let's not ask why there were 5 in the first place.

    The domains are:
    City.com
    one.city.com
    two.city.com
    three.city.com
    four.city.com

    So, all users have two accounts in AD, one in city.com (used exclusively for access to on-site Exchange) and a second one in the domain the user exists in.

    So Admin1 has the following accounts

    [email protected] - used only so Exchange has an AD account to be attached to
    [email protected] - used to log into their computer, access files, etc.

    So I propose a few things to be accomplished in a mostly not specifically listed order.

    Let's handle email first - I see little reason that the AD account associated with the user's email can't be changed to the subdomain specific account. This might even be scriptable (in fact probably is). Of course testing this one a few accounts first is paramount.
    Then, after Exchange is only pointing at the subdomain account, delete the account from the city.com domain, as it's no longer needed.

    *It's been suggested that Exchange be left alone until the end. This would allow all accounts be be created in the to be mentioned ad.city.com domain, then associated with the exchange account, instead of having to worry about changing AD accounts in Exchange possibly twice. Thanks @coliver *

    Create a new domain for AD objects. The general way I see it recommended today to setup an AD is to make it something like ad.city.com. This enables the city.com domain to remain free and clear for use on the public internet with out a split horizon DNS issue.

    Using migration tools, migrate the user accounts from all of the other subdomains to the new ad.city.com domain. The last time I did this, the tool had a way of bringing the old SID along for the ride to the new account to allow the new account to continue to have access to anything the old one had access to. Now what I don't know is, does Exchange need to be updated again? If yes, perhaps there is a way to do the migration to the new ad.city.com domain and change exchange in one step/sequence of steps.

    Using migration tools, migrate the PCs to the ad.city.com domain. User profiles are going to be the issue here.

    File servers - move them to the new ad.city.com domain. Assuming the old SIDs are in the user new user accounts, the users shouldn't see any difference, but your work isn't done. Permissions will need to be changed to specifically use permissions from the new ad.city.com domain, because we want to be rid of the old one, two, etc domains. Hopefully more scripting to the rescue.

    Move Exchange to ad.city.com - yeah - hire a pro, or probably as easy - install Exchange in that domain specifically, and migrate the mailboxes.

    Oh, and the huge thing that we know needs to be fixed in this environment - MOVE TO DHCP!

    I'm sure there are many things I'm forgetting - so please speak up.


  • Service Provider

    And @wirestyle22 cannot post his own topics why?



  • Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.



  • @coliver said in Shrinking many domains to few or one:

    Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.

    Municipalities are free? That seems weird.



  • @jaredbusch said in Shrinking many domains to few or one:

    And @wirestyle22 cannot post his own topics why?

    Because these ideas are mine, not his. If you want to blast someone for having an idea, blast they guy who came up with them.



  • @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.

    Municipalities are free? That seems weird.

    Not free but there is a slight discount. Looks like 15%.



  • @coliver said in Shrinking many domains to few or one:

    @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.

    Municipalities are free? That seems weird.

    Not free but there is a slight discount. Looks like 15%.

    Well - Wired I'm sure isn't in a position to push for this move. Also, this only solves the email problem, not any of the others. And really - I'm not sure it actually solves the problem, assuming they want to keep ADSync in place to sync local AD with O365 for email accounts (they aren't syncing email accounts with user accounts now, so perhaps that's not a real issue).



  • @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.

    Municipalities are free? That seems weird.

    Not free but there is a slight discount. Looks like 15%.

    Well - Wired I'm sure isn't in a position to push for this move. Also, this only solves the email problem, not any of the others. And really - I'm not sure it actually solves the problem, assuming they want to keep ADSync in place to sync local AD with O365 for email accounts (they aren't syncing email accounts with user accounts now, so perhaps that's not a real issue).

    It pushes the email piece off domain and makes it easier to deal with issues that come up... especially if you don't have to worry about the Exchange gorilla sitting in the corner waiting to fail.

    In reality why not leave the email domain alone for now and start moving users and machines over to ad.city.gov. That makes it much less complex if you can move the users over first, the follow through with email when the initial move is done.



  • @coliver said in Shrinking many domains to few or one:

    In reality why not leave the email domain alone for now and start moving users and machines over to ad.city.gov. That makes it much less complex if you can move the users over first, the follow through with email when the initial move is done.

    Good point - and the purpose of this thread.



  • How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.



  • @jaredbusch said in Shrinking many domains to few or one:

    And @wirestyle22 cannot post his own topics why?

    I did post a topic about this already. We just had a private conversation and he wanted you guys to challenge his own ideas.



  • @coliver said in Shrinking many domains to few or one:

    How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

    So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

    Wired seemed to indicate to me that it's mostly folders that are set with users, not files. If a report can be run that shows the general cross over, and if they follow things like departments, they can make fewer groups when adding those permissions back to the file server.



  • @coliver said in Shrinking many domains to few or one:

    @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.

    Municipalities are free? That seems weird.

    Not free but there is a slight discount. Looks like 15%.

    We priced it out and didn't end up receiving any discounts via Microsoft. It took them 1.3 years to approve a switch refresh just to give you an idea of what we are dealing with and how slow moving they are here.



  • @coliver said in Shrinking many domains to few or one:

    How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

    We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.



  • @dashrender said in Shrinking many domains to few or one:

    So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

    That's not what I'm suggesting. Not sure how you got that from what I'm saying.

    You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

    If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).



  • @wirestyle22 said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

    We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.

    That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.



  • @coliver said in Shrinking many domains to few or one:

    @wirestyle22 said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

    We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.

    That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.

    It would be more than that, but definitely less than it seems.



  • @coliver said in Shrinking many domains to few or one:

    @dashrender said in Shrinking many domains to few or one:

    So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

    That's not what I'm suggesting. Not sure how you got that from what I'm saying.

    You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

    If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).

    I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.

    If this is not what you're suggestion, then I'm still not getting it.

    If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.


  • Service Provider

    Buy a netwrix license and move on.



  • @dashrender said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    @dashrender said in Shrinking many domains to few or one:

    So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

    That's not what I'm suggesting. Not sure how you got that from what I'm saying.

    You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

    If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).

    I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.

    If this is not what you're suggestion, then I'm still not getting it.

    If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.

    That's exactly what I'm referring to... not sure how it would disruptive to workflows? It's a new share in a new location literally nothing else changes. The files stay exactly the same. Even the structure, for the most part, could stay exactly the same. They need this file, well it's now located here. Setup DFS and you could even do \\ad.city.gov\folder. So much easier then remembering an individual server and path.

    As for the NextCloud design. That's a fantastic idea but you'd really have the redevelop workflows around that process. I'm not opposed to it but it seems like @wirestyle22 already has a slow moving organization and a change like that would be a straight up revolt.



  • @jaredbusch said in Shrinking many domains to few or one:

    Buy a netwrix license and move on.

    This is a great idea Netwrix Auditor could do a lot to figuring out who has what permissions where and you could do some reporting based on overlap... etc...



  • @jaredbusch said in Shrinking many domains to few or one:

    Buy a netwrix license and move on.

    This was one of the first things I said to @Dashrender today. It will happen regardless of what direction we go in.



  • @coliver Next cloud is such a sore subject for me. Why they won't do it:

    They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

    It's actually infuriating



  • @wirestyle22 said in Shrinking many domains to few or one:

    @coliver Next cloud is such a sore subject for me. Why they won't do it:

    They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

    It's actually infuriating

    That's fine you've presented it to them and they've declined. So move on.



  • @coliver said in Shrinking many domains to few or one:

    @wirestyle22 said in Shrinking many domains to few or one:

    @coliver Next cloud is such a sore subject for me. Why they won't do it:

    They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

    It's actually infuriating

    That's fine you've presented it to them and they've declined. So move on.

    Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

    /rant



  • It's especially annoying because I see $1300-$2000 curved wide screen monitors on their desks. Never knew how right @scottalanmiller was about local government before I worked here.



  • @wirestyle22 said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    @wirestyle22 said in Shrinking many domains to few or one:

    @coliver Next cloud is such a sore subject for me. Why they won't do it:

    They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

    It's actually infuriating

    That's fine you've presented it to them and they've declined. So move on.

    Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

    /rant

    So the next time they are whining about drop box costs, tell them, we have a solution ready to bang out, it only costs $x and will take me 2 hours to get up and running - etc.



  • @dashrender said in Shrinking many domains to few or one:

    @wirestyle22 said in Shrinking many domains to few or one:

    @coliver said in Shrinking many domains to few or one:

    @wirestyle22 said in Shrinking many domains to few or one:

    @coliver Next cloud is such a sore subject for me. Why they won't do it:

    They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

    It's actually infuriating

    That's fine you've presented it to them and they've declined. So move on.

    Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

    /rant

    So the next time they are whining about drop box costs, tell them, we have a solution ready to bang out, it only costs $x and will take me 2 hours to get up and running - etc.

    It's sitting on one of my hyper-v hosts, 100% ready. Only thing I need is the port forwarding and a-record. It would take 2 mins.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.