Hurel
asked on
Separate domain from Forest
Separate domain from forest
In our current AD forest we have an empty root domain (UK.COM and two child domains (A.UK.COM and B.UK.COM
We need to separate one of the child domains (B.UK.COM) as it is no longer part of the business.
1. What will happen if we just sever the link from UK.COM to B.UK.COM?
2. How long will B.UK.COM function without access to UK.COM.
3. Is it possible to separate B.UK.COM without migrating everything to a new domain
4. Anything else that would be helpful in the situation?
If you need any more info please let me know
Cheers
Hurel
In our current AD forest we have an empty root domain (UK.COM and two child domains (A.UK.COM and B.UK.COM
We need to separate one of the child domains (B.UK.COM) as it is no longer part of the business.
1. What will happen if we just sever the link from UK.COM to B.UK.COM?
2. How long will B.UK.COM function without access to UK.COM.
3. Is it possible to separate B.UK.COM without migrating everything to a new domain
4. Anything else that would be helpful in the situation?
If you need any more info please let me know
Cheers
Hurel
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any idea on questions one and two?
thanks
thanks
ASKER
Just read the artical in your link JimboEfx
The domain would still need to be in its own forest even it is was the root?
The domain would still need to be in its own forest even it is was the root?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The rename tool only creates a new tree-root with dependencies on the forest root still if I read this correctly...
To be honest I think the safest path is ADMT migration into a new domain.
To be honest I think the safest path is ADMT migration into a new domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As I posted above before you rightly pointed my initial statement as incorrect, I re-read and this time properly. The child domain becomes tree-root not a new forest root.
Just wondering aloud - but while we have so many great minds I wonder about the feasability of:
Lets get it out of the way first - this would be not supported or recommended for that matter, I just want a discussion on it.
If you could ensure physical seperation of the child domain from the rest of the network:
-Add additional root domain dc
-Add additional Child DC
-Make sure DNS is installed and all objects replicated
Physically seperate from original network.
Clean up in orphaned network to remove all references of seperated DCs.
Seize FSMO roles.
Promote new DC in seperated forest root for resiliency.
Clear forest root of any accounts not needed.
Possible domain rename at this point?
In original network clean up references of the additional DCs now disconnected.
Some steps may be missing - but hypothetically?
Just wondering aloud - but while we have so many great minds I wonder about the feasability of:
Lets get it out of the way first - this would be not supported or recommended for that matter, I just want a discussion on it.
If you could ensure physical seperation of the child domain from the rest of the network:
-Add additional root domain dc
-Add additional Child DC
-Make sure DNS is installed and all objects replicated
Physically seperate from original network.
Clean up in orphaned network to remove all references of seperated DCs.
Seize FSMO roles.
Promote new DC in seperated forest root for resiliency.
Clear forest root of any accounts not needed.
Possible domain rename at this point?
In original network clean up references of the additional DCs now disconnected.
Some steps may be missing - but hypothetically?
What you just outlined is actually pretty common in an organization that does a lot of acquisitions and divestitures, and is one of the only remaining scenarios in which an empty forest root domain is good design sense. If I am the parent company company.com and I have just sold a holding with a domain of child.company.com, I hand the new owners of CHILD a root DC from company and a child DC from CHILD as you describe (obviously after scrubbing the root domain of any unnecessary accounts and changing all sensitive user account passwords), and send the new owners of CHILD on their merry way.
ASKER
so if a get a copy of the empty root domain my child domain will continue to work OK?
Could I then rename my child to make it the root domain?
Could I then rename my child to make it the root domain?
> "so if a get a copy of the empty root domain my child domain will continue to work OK?"
Correct.
> "Could I then rename my child to make it the root domain?"
No, as stated above. If you wish to restructure the child domain so that it becomes the root domain of its own forest, a migration is necessary.
Correct.
> "Could I then rename my child to make it the root domain?"
No, as stated above. If you wish to restructure the child domain so that it becomes the root domain of its own forest, a migration is necessary.
ASKER
Thanks for the answers chaps. Looks like the seperation is not going to happen now!
I've just devided thepoint between you.Hope that is OK
cheers
I've just devided thepoint between you.Hope that is OK
cheers
You must setup a new forest and migrate your accounts, groups and pcs.
Regards