What is "best practise" for transferring ownership of a member server to another organisation when the server has to stay in your network ?

Dear Xperts,

I have asked this question before but I just need to make absolutely sure that I am taking the "best route".

We have a couples of servers running apps.  Another company wants to take contractual ownership / support of these servers and I need to work out the best way of giving this organisation admin access to these servers.  The problem is that these servers have to stay on our network (i.e. our physical network) and they are both in OUR domain (forest) at the moment.

The options I was considering were as follows:

a) disjoin both member servers from our domain and put them into a workgroup + remove our local admin account and enable remote desktop access to the other company on both boxes (with a local admin account that they can use) - job done - we would lose access and they would gain it, right ?

b) keep both servers in our domain - but create a new OU in our AD and move both computer accounts into this OU.  Then delegate control of this OU (and the objects within it) to the other organisation.

Which option sounds best ?  If we go for B) then isn't there a risk that the other company would be able to access our domain ?  Which option is the "cleanest" and adheres to MS "best practise" ?

Thanks experts, as always :-)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi richardstuartpowell,

Option A is the only way you can give the other company access without security issues to your own network. It will aslo allow that the clients inside your network won't be able to communicate with these servers.

richardstuartpowellAuthor Commented:
Hi JoWickerman

That sounds great - so option A is the best route.  One more thing however, you added "It will aslo allow that the clients inside your network won't be able to communicate with these servers." - is there a risk that the apps these servers run will stop working ?

I believe that one is running some kind of A/V update service.  This won't use domain account authentication though, will it ?

I was thinking of just suggesting option A and letting the other company work it out !

Well... Technically, av update should not be a problem. Other programs that need to autheticate might be an issue...

LOL! Yeah, if the want to maintain the servers, let them sort out if issues appear!

As JoWickerman states, option A is the safest as far as security goes - but it also means that your domain clients (computers) will not be able to access anything on these servers which I suspect is unacceptable. Can you not give this company (presumably a trusted partner) an AD account with which to control the servers, but nothing else in the domain? That is fairly standard practice in these type of scenarios.

Create an AD account that is locked so that it can only log on to these two servers. Ensure that it has no permissions on any other servers.
richardstuartpowellAuthor Commented:
Hi JaredJ1

This is a good point.  At the moment we are just examining all of the options.  Thanks to everyone who responded to my query - I am always impressed with the answers I receive on this website !

If no-one else wants to chip-in I will close this question and distribute the points ...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.