Solved

Need to logically separate-out existing domain to separate but allow trust between domains

Posted on 2006-11-29
4
181 Views
Last Modified: 2010-04-13
I am involved on a project which includes a dept of the existing company "breaking off" and becoming separate. This dept is currently in its own OU in the domain. There are two W2003 domain controllers which replicate to provide redundancy and various other services arranged over two member servers. There are 50 machines in the network running Windows XP SP2 and the split will be roughly 50/50 (so approx 25 machines need to be separated).

For reasons of assuring certain people of security, I need to do create a new domain for the dept to be separated. Users in this domain need to be able to access resources on the other domain. I am not sure whether I need to create a child domain in the existing domain, or a new domain altogether and form a trust between them? As both companies are logistically equal (one is not a parent company of another), I am not sure of creating a child domain, but on the other hand I think that what I want to achieve will be more difficult with entirely separate domains. Any advice on this?

Secondly, for either method, how are users physically moved to the new domain? Is AD dragging-and-dropping possible across domains? Also, how can I split exchange 2003 up to provide email to the different companies but keeping them separate, so they do not share address lists etc - or am I being too hopeful, and need a new exchange server!...?

My main points of uncertainty are (1) how to separate, (2) trusts and default trusts (depending on the option taken in (1)), (3) moving over the objects and (4) tying this all in with Exchange.

I know this is a very taxing question so it is worth 1000 points - I will make a second token question for the most helpful expert(s) worth the other 500.

Thanks
We also run Sharepoint for the two companies - I fear that this will be the most tricky thing to split up. SQL Server runs on one of the memebrs servers and this needs to be acessible by both companies too.
0
Comment
Question by:rgford
4 Comments
 
LVL 4

Accepted Solution

by:
Drizzt420 earned 500 total points
ID: 18037903
Active directory is designed to conform to your needs, not the other way around, a child domain would probably be the best and easiest way to go. In this case, the relation between the two companies neither favors nor rules out "child domain vs. a new domain". You could have accounting.company.locl or totallydifferentbusiness.company.locl

Will the users being moved to the new domain be getting new email addresses, or will the keep their old ones?
If you go with the child domain solution, you shouldn't need to add another Exchange server (although you will have to run "domainprep" in the child domain)

If you configure DNS correctly and follow group nesting best practices it really shouldn't be that difficult, parent/child domins will already have all of the trusts that you need.

As far as moving things around, check out the free utility, "Active directory Migration tool" below:

http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

0
 

Author Comment

by:rgford
ID: 18039188
Thanks for the advice RE the domain. I am apprehensive about the parent-child setup simply because of how I have to document and present this to management who have very little understanding of it and will see newCo.Acme.local being logically "below" Acme.local, and will question this. From my own point of view, this also creates default trust in one direction, and when it comes to inter-domain communication I would rather start with nothing and build up, than something and build down.

RE email addresses - there is an Exchange default string (can't remember the name of those exactly, I hope you know what I mean!) which builds SMTP addresses for people in active directory based on the OU they get put into. I would have to edit this for the new scenario but this isn't too much of a problem.

RE Exchange - so if I'm using a separate domain (even with a trust between them in the Enterprise), I must use separate Exchange servers? If so, this may be the things which brings me round to the child-parent plan. If I go parent-child, how will Exchange cope? What about shared public folders (calendar and contact lists exist), isolating address lists, etc? The users need to feel that they are separated.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
We have come a long way with backup and data protection — from backing up to floppies, external drives, CDs, Blu-ray, flash drives, SSD drives, and now to the cloud.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now