Go Premium for a chance to win a PS4. Enter to Win


Separate domain from Forest

Posted on 2007-11-28
Medium Priority
Last Modified: 2010-07-27
Separate domain from forest

In our current AD forest we have an empty root domain (UK.COM and two child domains (A.UK.COM and B.UK.COM

We need to separate one of the child domains (B.UK.COM) as it is no longer part of the business.

1.      What will happen if we just sever the link from UK.COM to B.UK.COM?
2.      How long will B.UK.COM function without access to UK.COM.
3.      Is it possible to separate B.UK.COM without migrating everything to a new domain
4.      Anything else that would be helpful in the situation?

If you need any more info please let me know


Question by:Hurel
  • 4
  • 3
  • 3
  • +1
LVL 15

Assisted Solution

JimboEfx earned 120 total points
ID: 20365376
Consider a domain rename to move the child domain so that it becomes its own root:

LVL 10

Expert Comment

by:Walter Padrón
ID: 20365395
Hi, you can't separate a child domain from a forest.
You must setup a new forest and migrate your accounts, groups and pcs.


Author Comment

ID: 20365422
Any idea on questions one and two?

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 20365563
Just read the artical in your link JimboEfx

The domain would still need to be in its own forest even it is was the root?
LVL 10

Assisted Solution

by:Walter Padrón
Walter Padrón earned 120 total points
ID: 20365567
Q1- Nothing happens, child domain will continue working (see Q2)

Q2- Is difficult to say but certainly it will stop working or you can't do certain tasks or you may get unexpected behaviours.
LVL 15

Expert Comment

ID: 20365629
The rename tool only creates a new tree-root with dependencies on the forest root still if I read this correctly...  

To be honest I think the safest path is ADMT migration into a new domain.
LVL 30

Accepted Solution

LauraEHunterMVP earned 135 total points
ID: 20365683
> "Consider a domain rename to move the child domain so that it becomes its own root"

Incorrect.  Domain rename cannot perform any kind of "prune and graft" to sever a child domain so that it becomes the root of its own forest.  This is actually referenced in the link above:

"In a Windows Server 2003 forest, you cannot:

• Change which domain is the forest root domain. Changing the DNS name or the NetBIOS name (or both) of the forest root domain is supported.
• Drop domains from the forest or add domains to the forest. The number of domains in the forest before and after the domain rename and restructuring operation must remain the same.
• Rename a domain with a name that was taken from another domain in a single domain rename and restructuring operation."

To the OP's questions:

1.      What will happen if we just sever the link from UK.COM to B.UK.COM?

B.UK.COM will no longer be able to replicate the Schema and Configuration NCs, which are replicated forest-wide.  The domain controller will throw up errors like crazy trying to replicate with its forest root.

2.      How long will B.UK.COM function without access to UK.COM.

Hard to say, since what you're describing is not recommended (and probably not supported) by Microsoft.   Off the top of my head you would be unable to perform any actions requiring Enterprise Admin or Schema admin permissions, since these security groups only exist in the forest root domain by default and will no longer be accessible to the child.

3.      Is it possible to separate B.UK.COM without migrating everything to a new domain

Not in a supported fashion; AD does not possess the kind of prune and graft functionality that you're describing without performing a migration from one domain to another.
LVL 15

Expert Comment

ID: 20365830
As I posted above before you rightly pointed my initial statement as incorrect, I re-read and this time properly. The child domain becomes tree-root not a new forest root.

Just wondering aloud - but while we have so many great minds I wonder about the feasability of:

Lets get it out of the way first - this would be not supported or recommended for that matter, I just want a discussion on it.

If you could ensure physical seperation of the child domain from the rest of the network:
-Add additional root domain dc
-Add additional Child DC
-Make sure DNS is installed and all objects replicated

Physically seperate from original network.

Clean up in orphaned network to remove all references of seperated DCs.
Seize FSMO roles.
Promote new DC in seperated forest root for resiliency.
Clear forest root of any accounts not needed.
Possible domain rename at this point?

In original network clean up references of the additional DCs now disconnected.

Some steps may be missing - but hypothetically?
LVL 30

Expert Comment

ID: 20365865
What you just outlined is actually pretty common in an organization that does a lot of acquisitions and divestitures, and is one of the only remaining scenarios in which an empty forest root domain is good design sense.  If I am the parent company company.com and I have just sold a holding with a domain of child.company.com, I hand the new owners of CHILD a root DC from company and a child DC from CHILD as you describe (obviously after scrubbing the root domain of any unnecessary accounts and changing all sensitive user account passwords), and send the new owners of CHILD on their merry way.

Author Comment

ID: 20365948
so if a get a copy of the empty root domain my child domain will continue to work OK?
Could I then rename my child to make it the root domain?
LVL 30

Expert Comment

ID: 20366098
> "so if a get a copy of the empty root domain my child domain will continue to work OK?"


> "Could I then rename my child to make it the root domain?"

No, as stated above.  If you wish to restructure the child domain so that it becomes the root domain of its own forest, a migration is necessary.

Author Closing Comment

ID: 31411403
Thanks for the answers chaps. Looks like the seperation is not going to happen now!

I've just devided thepoint between you.Hope that is OK


Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question