Need to logically separate-out existing domain to separate but allow trust between domains

I am involved on a project which includes a dept of the existing company "breaking off" and becoming separate. This dept is currently in its own OU in the domain. There are two W2003 domain controllers which replicate to provide redundancy and various other services arranged over two member servers. There are 50 machines in the network running Windows XP SP2 and the split will be roughly 50/50 (so approx 25 machines need to be separated).

For reasons of assuring certain people of security, I need to do create a new domain for the dept to be separated. Users in this domain need to be able to access resources on the other domain. I am not sure whether I need to create a child domain in the existing domain, or a new domain altogether and form a trust between them? As both companies are logistically equal (one is not a parent company of another), I am not sure of creating a child domain, but on the other hand I think that what I want to achieve will be more difficult with entirely separate domains. Any advice on this?

Secondly, for either method, how are users physically moved to the new domain? Is AD dragging-and-dropping possible across domains? Also, how can I split exchange 2003 up to provide email to the different companies but keeping them separate, so they do not share address lists etc - or am I being too hopeful, and need a new exchange server!...?

My main points of uncertainty are (1) how to separate, (2) trusts and default trusts (depending on the option taken in (1)), (3) moving over the objects and (4) tying this all in with Exchange.

I know this is a very taxing question so it is worth 1000 points - I will make a second token question for the most helpful expert(s) worth the other 500.

We also run Sharepoint for the two companies - I fear that this will be the most tricky thing to split up. SQL Server runs on one of the memebrs servers and this needs to be acessible by both companies too.
Who is Participating?
Drizzt420Connect With a Mentor Commented:
Active directory is designed to conform to your needs, not the other way around, a child domain would probably be the best and easiest way to go. In this case, the relation between the two companies neither favors nor rules out "child domain vs. a new domain". You could have or

Will the users being moved to the new domain be getting new email addresses, or will the keep their old ones?
If you go with the child domain solution, you shouldn't need to add another Exchange server (although you will have to run "domainprep" in the child domain)

If you configure DNS correctly and follow group nesting best practices it really shouldn't be that difficult, parent/child domins will already have all of the trusts that you need.

As far as moving things around, check out the free utility, "Active directory Migration tool" below:

rgfordAuthor Commented:
Thanks for the advice RE the domain. I am apprehensive about the parent-child setup simply because of how I have to document and present this to management who have very little understanding of it and will see newCo.Acme.local being logically "below" Acme.local, and will question this. From my own point of view, this also creates default trust in one direction, and when it comes to inter-domain communication I would rather start with nothing and build up, than something and build down.

RE email addresses - there is an Exchange default string (can't remember the name of those exactly, I hope you know what I mean!) which builds SMTP addresses for people in active directory based on the OU they get put into. I would have to edit this for the new scenario but this isn't too much of a problem.

RE Exchange - so if I'm using a separate domain (even with a trust between them in the Enterprise), I must use separate Exchange servers? If so, this may be the things which brings me round to the child-parent plan. If I go parent-child, how will Exchange cope? What about shared public folders (calendar and contact lists exist), isolating address lists, etc? The users need to feel that they are separated.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.