Solved

Separate domain from Forest

Posted on 2007-11-28
12
2,764 Views
Last Modified: 2010-07-27
Separate domain from forest

In our current AD forest we have an empty root domain (UK.COM and two child domains (A.UK.COM and B.UK.COM

We need to separate one of the child domains (B.UK.COM) as it is no longer part of the business.

1.      What will happen if we just sever the link from UK.COM to B.UK.COM?
2.      How long will B.UK.COM function without access to UK.COM.
3.      Is it possible to separate B.UK.COM without migrating everything to a new domain
4.      Anything else that would be helpful in the situation?

If you need any more info please let me know


Cheers

Hurel
0
Comment
Question by:Hurel
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 15

Assisted Solution

by:JimboEfx
JimboEfx earned 40 total points
ID: 20365376
Consider a domain rename to move the child domain so that it becomes its own root:

http://technet2.microsoft.com/windowsserver/en/library/996741d8-28e4-4d20-9949-8f17fb9d3cfd1033.mspx?mfr=true
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 20365395
Hi, you can't separate a child domain from a forest.
You must setup a new forest and migrate your accounts, groups and pcs.

Regards
0
 

Author Comment

by:Hurel
ID: 20365422
Any idea on questions one and two?

thanks
0
 

Author Comment

by:Hurel
ID: 20365563
Just read the artical in your link JimboEfx

The domain would still need to be in its own forest even it is was the root?
0
 
LVL 10

Assisted Solution

by:Walter Padrón
Walter Padrón earned 40 total points
ID: 20365567
Q1- Nothing happens, child domain will continue working (see Q2)

Q2- Is difficult to say but certainly it will stop working or you can't do certain tasks or you may get unexpected behaviours.
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20365629
The rename tool only creates a new tree-root with dependencies on the forest root still if I read this correctly...  

To be honest I think the safest path is ADMT migration into a new domain.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 45 total points
ID: 20365683
> "Consider a domain rename to move the child domain so that it becomes its own root"

Incorrect.  Domain rename cannot perform any kind of "prune and graft" to sever a child domain so that it becomes the root of its own forest.  This is actually referenced in the link above:

"In a Windows Server 2003 forest, you cannot:

• Change which domain is the forest root domain. Changing the DNS name or the NetBIOS name (or both) of the forest root domain is supported.
 
• Drop domains from the forest or add domains to the forest. The number of domains in the forest before and after the domain rename and restructuring operation must remain the same.
 
• Rename a domain with a name that was taken from another domain in a single domain rename and restructuring operation."

To the OP's questions:

1.      What will happen if we just sever the link from UK.COM to B.UK.COM?

B.UK.COM will no longer be able to replicate the Schema and Configuration NCs, which are replicated forest-wide.  The domain controller will throw up errors like crazy trying to replicate with its forest root.

2.      How long will B.UK.COM function without access to UK.COM.

Hard to say, since what you're describing is not recommended (and probably not supported) by Microsoft.   Off the top of my head you would be unable to perform any actions requiring Enterprise Admin or Schema admin permissions, since these security groups only exist in the forest root domain by default and will no longer be accessible to the child.

3.      Is it possible to separate B.UK.COM without migrating everything to a new domain

Not in a supported fashion; AD does not possess the kind of prune and graft functionality that you're describing without performing a migration from one domain to another.
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20365830
As I posted above before you rightly pointed my initial statement as incorrect, I re-read and this time properly. The child domain becomes tree-root not a new forest root.

Just wondering aloud - but while we have so many great minds I wonder about the feasability of:

Lets get it out of the way first - this would be not supported or recommended for that matter, I just want a discussion on it.

If you could ensure physical seperation of the child domain from the rest of the network:
-Add additional root domain dc
-Add additional Child DC
-Make sure DNS is installed and all objects replicated

Physically seperate from original network.

Clean up in orphaned network to remove all references of seperated DCs.
Seize FSMO roles.
Promote new DC in seperated forest root for resiliency.
Clear forest root of any accounts not needed.
Possible domain rename at this point?

In original network clean up references of the additional DCs now disconnected.

Some steps may be missing - but hypothetically?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20365865
What you just outlined is actually pretty common in an organization that does a lot of acquisitions and divestitures, and is one of the only remaining scenarios in which an empty forest root domain is good design sense.  If I am the parent company company.com and I have just sold a holding with a domain of child.company.com, I hand the new owners of CHILD a root DC from company and a child DC from CHILD as you describe (obviously after scrubbing the root domain of any unnecessary accounts and changing all sensitive user account passwords), and send the new owners of CHILD on their merry way.
0
 

Author Comment

by:Hurel
ID: 20365948
so if a get a copy of the empty root domain my child domain will continue to work OK?
Could I then rename my child to make it the root domain?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20366098
> "so if a get a copy of the empty root domain my child domain will continue to work OK?"

Correct.

> "Could I then rename my child to make it the root domain?"

No, as stated above.  If you wish to restructure the child domain so that it becomes the root domain of its own forest, a migration is necessary.
0
 

Author Closing Comment

by:Hurel
ID: 31411403
Thanks for the answers chaps. Looks like the seperation is not going to happen now!

I've just devided thepoint between you.Hope that is OK

cheers
0

Join & Write a Comment

Suggested Solutions

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now