Solved

Split Active Directory Domain

Posted on 2004-10-26
2,222 Views
Last Modified: 2012-05-05
Scenario: A company splits.  Niether company wants to go trough the trouble of changing the domain name.  All five server roles are running on one AD controller.

Question?  Can we split the domain and have both of the new companies each keep the original domain name.

Let's say new company (A) has the server with all the Roles and new company (B) does not.

We sever the connection beteween (A) & (B).

(A) is fine as it has a Schema master etc... will just need to clean out the AD Controllers using ADSIedit to clean up the controllers that were lost due to the split.

Can company (B) just seize the roles on one of their Global Catalog Servers and continue to run a stable domain?

Theoretically this sounds good but has anyone actually done this?

Thanks for your comments.
0
Question by:Packerland
    6 Comments
     
    LVL 20

    Accepted Solution

    by:
    Hi

    Have I tried this in practise? - well yes - different reasons but same principle I beleive - I have used seizing roles when a full fsmo role holder goes down and it does work - first check that ad replication and dns is fully functional/ok between the two servers.

    The only way you can keep the original domain name on two separate networks is as you suggest:

    1) A new server is joined to the domain, service packed,  then dcpromo'd upon  which it will get a copy of active directory and yet will be role-less. You then separate the two completely (never to be brought back together) and seize the roles for the domain on the dc that is currently role-less as in article (1). You can keep the roles on dc 1. Then remove the active directory data for the now gone servers from both of them as in article (2) and you could then create two totally separate networks with the same internal domain name, so long as they remain COMPLETELY separate. (you may run into problems if you have the same domain name hosted externally). You'll need to sort out both as global catalogs, dhcp servers, sort out file data transfer etc, you'll also need to sort out which pc's now belong to whom as both will carry identical copies of AD for a short while, but more importantly the SIDS on the workstations attached at the time will remain, so some tweaking for security purposes will be in order. Mat also be tempted to change admin passwords etc etc,

    Relevant articles
    Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
    http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

    How to remove data in Active Directory after an unsuccessful domain controller demotion (not unsuccessful but principle for suddenly removed dc applies)
    http://support.microsoft.com/default.aspx?kbid=216498&product=nts40

    I can't see any reason really why it couldn't be done, so long as your companies don't re-merge!

    Deb :))


    0
     
    LVL 3

    Expert Comment

    by:saito1

    I make this operation sometimes and theoretically and practically it's OK. there will not be any problem if two server has no connection after splitting.
    after transfering one of domain controller to new location you just need NTDSUtil tool to remove the DC that is transfer to another site and transfer all roles to existing DC.
    first process is to remove the DC that doesn't exist on site A and same process on site B.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;216498 to remove DC
    http://support.microsoft.com/default.aspx?scid=kb;en-us;255504 to transfer roles.

    if you have any problem while using ntdsutil do not hesitate to ask me as I use it often.




    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Isn't that exactly what I posted Saito1???????? What's the point in duplicating other experts posts? Please don't!
    0
     
    LVL 3

    Expert Comment

    by:saito1
    sorry
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    No worries - had three people in a row in three questions saying exactly what I'd already said so by the time I got round to this one I was a tad miffed - don't worry about it, and have a nice day,
    Deb :))
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Think I pretty much got this one right, thanks :)
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now