[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Removing a domain from Active Directory

Posted on 2006-06-06
16
Medium Priority
?
1,054 Views
Last Modified: 2008-05-30
Hi All,

Not sure if this is possible but here goes.
I have a couple of domains, all are parent domains in the same forest.

                               Forest 1
Domain A--------------Domain B-------------Domain C

I need to remove one of the domains from the forest and make it a stand alone entity in it own right.
There are no child domains under any of the parent domains.
Basically i need to break off Domain C for example and make it the forest root domain.
Can this be done?

Thanks
Andy
0
Comment
Question by:sparky1977
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 1

Author Comment

by:sparky1977
ID: 16842653
I would like to add that i need to do this "offline" so that the domain structure is not affected.
0
 
LVL 1

Author Comment

by:sparky1977
ID: 16842693
Sorry i feel i should explain more.
Basically i am planning to break this domain off the main site in the near future due to this section of the business being sold.
This site will not have anything to do with the original site.
I also wish to make available a disaster recovery solution and i was working on the premise that i could maybe "clone" the original server, remove all traces of the other domains and effectively make it the first domain in the forest and have the system all ready to go.
If you have any other suggestions i would be interested in hearing them.
Thanks
Andy
0
 
LVL 16

Accepted Solution

by:
Joseph Nyaema earned 2000 total points
ID: 16842999
Yes it is possible.

Assuming there are three dcs all belonging to there own domains.

Simply make sure they are all dns servers pointing to themselves.

Make sure the servers can not see each other (i.e separate network)


Use ntdsutil to seize the 5 fsmo roles
Make the server a global catalog

use ntdsutil to remove the domain metadata for the other two domains.
Use ntdsutil to remove the data for the other two domain controllers


And voila there you are, and independent separate domain.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16843527
Hi sparky1977,

If your domain is a Windows 2000 domain it can't be done. Following Nyaema advice you certainly will have 3 differents domain but you CAN'T rename them so you ends with 3 domains with the same name (a workaround will be to upgrade to Windows 2003). Also Security Identifiers are shared among the cloned domains and that is a security risk. I suggest you create a new forest and plan for a migration process.

cheers
0
 
LVL 16

Expert Comment

by:Joseph Nyaema
ID: 16843620
wpadron...

They are three domains in the same forest.....

So they cannot be having the same name.

He wants to separate them not rename them.
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 16844485
there is one major problem to this.
according to MS the root domain of the forest cannot be killed.
that is the three domains would have the PDC emulator, infrastructure master and the RID master and only the root or the first domain in the forest has the schema and the domain naming master roles and these roles cannot be transferred over to another domain so you might be able to sepetae only the root from the others by killing the other domains.
even if you read the whitepaper for rendom it says that you can rename a domain and make the child domain another domain in the same forest and vice versa the root can only be renamed and its position in the forest cannot be ever changed. the schema master and domain naming master cannot be seized to others.

0
 
LVL 1

Author Comment

by:sparky1977
ID: 16844573
Hi all,

Thanks for your comments.
ALL Domains have a domain controller, all DC's are running Windows 2003 Server SP1.
I understand that i can seize roles etc but not the forest schema or the part applicable to the domain i want to move.
I would have thought that there would be some way of doing this as i am sure there are instances where companies have split up or moved etc.
Thanks for the help so far.
0
 
LVL 5

Expert Comment

by:rleepy
ID: 16845186
You can try to create a new forest by installing a new DC, and create 2 way trust between these 2 forest. Migrate all resources from the chosen domain over to the new forest. This way, you'll have all 5 FSMO roles on the new forest.

Hope this helps.
0
 
LVL 5

Expert Comment

by:rleepy
ID: 16845201
Can also try this if you have Windows 2003 installed on the DC that you wish to split.

http://technet2.microsoft.com/WindowsServer/en/Library/996741d8-28e4-4d20-9949-8f17fb9d3cfd1033.mspx?mfr=true
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16845554
Nyaema, you are right the domains have different names ... and my english is not very good :( what are trying to say is if he has a w2k domain they can't rename the domain after that procedure so they can't accomodate to new company/bussines name requeriments. kprad is right too, you can't move the schema and domain naming master out of the forest root domain. I still think that creating a new forest and plan for a migration process is a better approach.

cheers
0
 
LVL 5

Expert Comment

by:dutchclan
ID: 16848565
Suggested Option :

Use the NTbackup utility. backup the Active Directory, the main FSMO roles (domain wide roles), SYSVOl share. Then restore it.

Problem with this scenario is that the GUID of the directory itself gets changed (Usually the same as the GUID from the server). This will usually prevent the replication service from replicating to a restored AD (creating data inconsistancy because the Highwatermarks, USN`s etc are not correct) and usually will be unavailable till the restored AD requests a replication from an replication partner.

Renaming :

This is only available in the Windows 2K3 Active Directory.

Trusts :

Will only poll other domains so that the IFM can create stale records of the objects polled in other domains. This doesnt actually fill the "new" AD with the infromation. Might be an option if indeed you keep the administrative role over that AD, might as well keep it in the current setting and use Acces rights and authentication to make specific NC`s available to a domain.

Suggestion (only one i see save)

Is to indeed install a new DC for that domain. Migrate the users using the various Microsoft Migration tools. Also Migrate possible userprofiles and mailboxes (if a Exchange server is installed in the default first site). And start with a clean AD with migrated users etc. Next keep the "old" domain as fall back and backup. If all succesfull after a while backup the current "AD" in the current forrest next remove the old domain.

And yes I agree, The Microsoft NOS still needs allot of work even though they get there fast...
0
 
LVL 5

Expert Comment

by:dutchclan
ID: 16848583
And yes as rleepy suggest (and the AD study suggests) moving a domain between sites must be possible. The only problem is that i have some problems with the term "move" as its quite absolute. I usually like to have a "out" without needing to restore a complete AD if problems occur. But then again, microsoft suggests its save, and they designed it all. (still rather copy then remove)
0
 
LVL 5

Expert Comment

by:rleepy
ID: 17029386
We should not allow any more of these abandoned questions, it takes out the fun in resolving issues and being recognised for our efforts as well, i.e. points.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question