Need to logically separate-out existing domain to separate but allow trust between domains
Posted on 2006-11-29
I am involved on a project which includes a dept of the existing company "breaking off" and becoming separate. This dept is currently in its own OU in the domain. There are two W2003 domain controllers which replicate to provide redundancy and various other services arranged over two member servers. There are 50 machines in the network running Windows XP SP2 and the split will be roughly 50/50 (so approx 25 machines need to be separated).
For reasons of assuring certain people of security, I need to do create a new domain for the dept to be separated. Users in this domain need to be able to access resources on the other domain. I am not sure whether I need to create a child domain in the existing domain, or a new domain altogether and form a trust between them? As both companies are logistically equal (one is not a parent company of another), I am not sure of creating a child domain, but on the other hand I think that what I want to achieve will be more difficult with entirely separate domains. Any advice on this?
Secondly, for either method, how are users physically moved to the new domain? Is AD dragging-and-dropping possible across domains? Also, how can I split exchange 2003 up to provide email to the different companies but keeping them separate, so they do not share address lists etc - or am I being too hopeful, and need a new exchange server!...?
My main points of uncertainty are (1) how to separate, (2) trusts and default trusts (depending on the option taken in (1)), (3) moving over the objects and (4) tying this all in with Exchange.
I know this is a very taxing question so it is worth 1000 points - I will make a second token question for the most helpful expert(s) worth the other 500.
We also run Sharepoint for the two companies - I fear that this will be the most tricky thing to split up. SQL Server runs on one of the memebrs servers and this needs to be acessible by both companies too.