advice

[ssahl]

I have setup our new network (new Comcast 100MB)
All new ProCurve L3 PoE switches and a Sonicwall NSA 2400
We have several networks/VLAN's
Currently The New Comcast is on it's own VLAN and I have setup a new domain controller, dns, DHCP, server, everything is working great.
Now it's time to start moving everyone over on the new domain
The problem is that the current domain they are on comes from the county, and I have very little control on it, they dont even let me access the router, and dont allow VPN's, dont allow FTP.

We have a file server that everyone uses daily,
The number of computers/printers that will need to be removed from the current domain and put on the new domain is about 2 weeks work I'd guess. (removing McAfee sucks, and is only a little better then reformatting)

Only plan I could come up with is to setup one computer in every building that has access to the old network which the file server is on and hand out USB drives. When computers are moved to the new domain/VLAN they would have to go to this computer and get what they need, put it on a USB drive take it to their computer, make changes, then take it back to the computer and copy
back to the server. This would probably take nothing less then training everyone how to copy files correctly to the correct location.

At first I was telling everyone that some people would just need to do without access to the file server for a bit, but that didnt go over very well.


A SECURE internet file server would be better, but I'm not sure if there is such a thing.

Just wondering if anyone has had similar issue's and how they dealt with it.

[Force Flow]

Changing everything to a new domain is not a quick and easy task.

What might help is to use RDP to access all the workstations using the local administrator account. That would save you physical access time and you could get multiple workstations going simultaneously.

But, all this is assuming that you either have RDP enabled, the port open on the workstation firewalls, and the local administrator account enabled with a password set. And if not, this also assumes you have access to the group policy for the old domain to enable all those settings.

There is also a way to rename the domain, but I've never done it and I'm not quite sure if it would be applicable to your situation: How Domain Rename Works: Active Directory

And there's this for transferring AD users: Download ADMT v3.2 from Official Microsoft Download Center

ADMT Guide: Migrating and Restructuring Active Directory Domains

What are you using for email? Is it tied to a domain server?

If you're using exchange: Prepare Mailboxes for Cross-Forest Move Requests: Exchange 2013 Help

As for the transition from the old to new server, I might suggest this:

1) Set up your AD users on the new domain.
2) Set up ACL rules between VLANs to allow computers on the old domain/VLAN SMB and NetBIOS traffic to the new file server on the new VLAN.
3) move all your data to the new file server and close access to the old fileserver
4) Give your users the SMB path to the new file server, and their new login information.
5) Move the computers to the new domain and new VLAN and use a GPO to map the drive path for the new server.

This should eliminate the need for juggling USB flash drives and help retain data consistency on the file server.

[ssahl]

Quote:

Originally Posted by Force Flow As for the transition from the old to new server, I might suggest this: 1) Set up your AD users on the new domain. 2) Set up ACL rules between VLANs to allow computers on the old domain/VLAN SMB and NetBIOS traffic to the new file server on the new VLAN. 3) move all your data to the new file server and close access to the old fileserver 4) Give your users the SMB path to the new file server, and their new login information. 5) Move the computers to the new domain and new VLAN and use a GPO to map the drive path for the new server. This should eliminate the need for juggling USB flash drives and help retain data consistency on the file server.

Not sure if I can do this. The old domain is on a VLAN that still uses the old router, our new switch was given an IP address from that subnet and uses that for that VLAN, so I think it basically just points traffic to the old router, which I dont have access to.
All devices on the old domain use the same gateway, which is the old router.
All IP addresses are public, (yes even the one for the VLAN in which the old domain is on).
again, not my setup, I only work with what I have

The new Comcast internet comes in through our firewall, then to the L3 routing switch.
Our new L3 routing switch and firewall dont really talk to the old router.
The domain controllers and dns servers on the old domain are housed at the county too. My domain account only has limited admin rights.


Well my networking skills are not great, so with this new information will your suggestion still work (for sure a better way) or is the USB drive plan I have/had starting to look better for the given situation?

[Force Flow]

I'm not quite clear on how exactly the networks are configured and connected. Typically, I'd do some sort of wiring and routing diagram with actual or sample IPs.

Another possible alternative if you really can't get the two networks connected by configuring existing equipment: grab a $50 router (my personal preference is something that can support dd-wrt). Then, put the WAN side on the old network, and assign an IP from the old network. On the LAN side, disable DHCP and assign a static IP from the new network, and use NAT port forwarding. Then, set up NAT port forwarding from the WAN (aka old network) to the file server's IP address on the LAN (new network).

Then, give users the IP address you assigned to the WAN side of the router, which would effectively be their path to the new file server during the transition.

Additionally, this will probably only work if you have the ports on your switches set to access mode where they are connected to this router.

[ssahl]

Here is a network diagram. The switches are connected through trunk ports that are tagged for VLAN's shown in diagram. (ProCurve lingo)

The VLAN's are set with a gateway that is in the same subnet for each VLAN

example
VLAN 2 192.168.1.0/24 network 192.168.1.254 gateway
VLAN 3 192.168.3.0/24 network 192.168.3.254 gateway

However VLAN 1 (old domain)
the internet comes in through a T1 to the cisco router which has a public IP address, this same IP address is also the gateway for this network. The VLAN uses an IP address that is in the same subnet, but the routing is still done through the Cisco router
Example
Cisco router 209.25.25.1 VLAN 1 209.25.25.4 Gateway 209.25.25.1

a device connected to VLAN 1 will get a 209.25.25.1 as gateway from DHCP server, if a device was manually configured to use 209.25.25.4 as the gateway it would get internet through the comcast line, not through the T1.
Does that make sense?

[ssahl]

I'm still not sure the $50 router option will work. The IP address may be a public one, but the county firewall doesnt allow any outgoing ports open. Giving the LAN router an IP address in from the new network doesnt give it access to that network, would I plug in network access to the LAN side of the router? Would that work? (see 2nd picture)