Need to logically separate-out existing domain to separate but allow trust between domains

Posted on 2006-11-29
Medium Priority
Last Modified: 2010-04-13
I am involved on a project which includes a dept of the existing company "breaking off" and becoming separate. This dept is currently in its own OU in the domain. There are two W2003 domain controllers which replicate to provide redundancy and various other services arranged over two member servers. There are 50 machines in the network running Windows XP SP2 and the split will be roughly 50/50 (so approx 25 machines need to be separated).

For reasons of assuring certain people of security, I need to do create a new domain for the dept to be separated. Users in this domain need to be able to access resources on the other domain. I am not sure whether I need to create a child domain in the existing domain, or a new domain altogether and form a trust between them? As both companies are logistically equal (one is not a parent company of another), I am not sure of creating a child domain, but on the other hand I think that what I want to achieve will be more difficult with entirely separate domains. Any advice on this?

Secondly, for either method, how are users physically moved to the new domain? Is AD dragging-and-dropping possible across domains? Also, how can I split exchange 2003 up to provide email to the different companies but keeping them separate, so they do not share address lists etc - or am I being too hopeful, and need a new exchange server!...?

My main points of uncertainty are (1) how to separate, (2) trusts and default trusts (depending on the option taken in (1)), (3) moving over the objects and (4) tying this all in with Exchange.

I know this is a very taxing question so it is worth 1000 points - I will make a second token question for the most helpful expert(s) worth the other 500.

We also run Sharepoint for the two companies - I fear that this will be the most tricky thing to split up. SQL Server runs on one of the memebrs servers and this needs to be acessible by both companies too.
Question by:rgford

Accepted Solution

Drizzt420 earned 2000 total points
ID: 18037903
Active directory is designed to conform to your needs, not the other way around, a child domain would probably be the best and easiest way to go. In this case, the relation between the two companies neither favors nor rules out "child domain vs. a new domain". You could have accounting.company.locl or totallydifferentbusiness.company.locl

Will the users being moved to the new domain be getting new email addresses, or will the keep their old ones?
If you go with the child domain solution, you shouldn't need to add another Exchange server (although you will have to run "domainprep" in the child domain)

If you configure DNS correctly and follow group nesting best practices it really shouldn't be that difficult, parent/child domins will already have all of the trusts that you need.

As far as moving things around, check out the free utility, "Active directory Migration tool" below:



Author Comment

ID: 18039188
Thanks for the advice RE the domain. I am apprehensive about the parent-child setup simply because of how I have to document and present this to management who have very little understanding of it and will see newCo.Acme.local being logically "below" Acme.local, and will question this. From my own point of view, this also creates default trust in one direction, and when it comes to inter-domain communication I would rather start with nothing and build up, than something and build down.

RE email addresses - there is an Exchange default string (can't remember the name of those exactly, I hope you know what I mean!) which builds SMTP addresses for people in active directory based on the OU they get put into. I would have to edit this for the new scenario but this isn't too much of a problem.

RE Exchange - so if I'm using a separate domain (even with a trust between them in the Enterprise), I must use separate Exchange servers? If so, this may be the things which brings me round to the child-parent plan. If I go parent-child, how will Exchange cope? What about shared public folders (calendar and contact lists exist), isolating address lists, etc? The users need to feel that they are separated.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This shares a stored procedure to retrieve permissions for a given user on the current database or across all databases on a server.
Integration Management Part 2
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question