Divide the existing active directory domain into two separate domains

Hello Experts,

I need a help in this please.

Current environment:

Single AD domain hosted in 2 DCs and 4 exchange servers, all of them are controlled by an IT department which belongs to finance department, another IT department which is for the whole org. is responsible for all other servers and machines in the network.

The problem is all mailboxes and AD object is not controlled by the IT department, I am thinking of a possible solution for that is to create a new domain in the existing forest. then migrate all AD objects except the ones for the finance dept. to this domain.

I need to have control over our objects

Any thoughts ?
LVL 23
Suliman Abu KharroubIT Consultant Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dan_blagutCommented:
Hello

I'm not sure that I understood your question.
The main IT department don't have any domain? How many users are in other department? Why IT-finance manage all Exchange servers?

Dan
0
Tony MassaCommented:
You don't have to do that. What you need to do is this:

Create top-level OUs for each IT and Financed-managed users and groups.
Splitting these managed objects into OUs is the same idea so you can delegate the proper permissions for each.  I think you can do the same basic thing with Exchange data stores.

Design and implement your AD security design and OU structure. You also won't need to have the extra costs associated with a new domain: migration, domain controllers, liscensing, management, etc.

The goal of the security design should be to create a delegation model that will be used by each group without using any built-in groups.  An exchange admin should comment on how to delegate, or separate, roles within Exchange.
0
Suliman Abu KharroubIT Consultant Author Commented:
Yes the IT-Finance manages the AD and exchange.

I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tony MassaCommented:
This is a business problem not a technical one. You can make an OU structure that works exactly as separate domains do, and I'm pretty sure Exchange can also be segregated for admins as well. You would have to perform a migration to split the domains anyway, and that will prove to be harder than a security redesign project.
0
markdmacCommented:
Domains are not the true security divider, forests are.  To achieve complete separation you would need to setup a new forest and domain. Enable trusts between them and use ADMT to migrate users and computers. That is a lot of work and should be unnecessary.  As has been already suggested, move to an OU model.  Create OUs for each department, move the respective users and computers to those OUs.  Delegate control of those OUs to departmental IT if they have it.  Transfer ownership of the domain controller hardware and licensing from finance to the corporation if necessary to satisfy the companies books.  For Exchange, depending on how you are set up, split the finance users off onto their own Exchange server if they still want email autonomy.  I would however suggest that the company combine all lT personnel in a reorganization. Your company has invented problems.
0
Suliman Abu KharroubIT Consultant Author Commented:
Thank you guys,, seems that I am going with OU separation option.

I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com).

I know that it a mess, so I am out of ideas.
0
markdmacCommented:
You can only have one Exchange org per domain. So if you go with the OU model, leave Exchange alone.  You can separate users via information store or server, but they have to be in the same org to use the same external domain name.
0
Syed_M_UsmanSystem AdministratorCommented:
Dear,

i do agree with above experts sugegstion.... a simlest way waould be t create one OU named Finance, under that create two OU one for Users and one for finance computers, delegate control of only Finance OU to Finance It team,,, keep remaining domain with you.
0
pwindellCommented:
I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.

This is just silly.  The Domain is created properly,....the IT structure isn't.   Fix the IT structure,...there should never be "two" IT Depts.  Merge them into one.   This cannot come from you it has to come from the company itself.
0
pwindellCommented:
I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com)

A second Exchange is not going to help.   You can't have two Exchange Systems serving the same Public Email Namespace,...unless they are in the same Exchange Org,...which puts them in the same Forest.    Now you might be able to look into the possibility of multiple Domains in the same Forest or maybe a Child Domain situation,...but to me that just sounds uglier and uglier the farther you go with it.

The only real solution is to leave the Domain alone and "Merge the Humans" and create one IT Dept.  The reason that is the real solution is because that is the real problem.  Anything else is just a "band-ade",...and a poor one at that.   I get the impression that this company has all kinds of Management problems,...it would almost have to be to get into a situation like this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Suliman Abu KharroubIT Consultant Author Commented:
Thanks all,

After a long discussion , I got access and control over all systems.
0
pwindellCommented:
Excellent!
Very good.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.