Solved

Divide the existing active directory domain into two separate domains

Posted on 2012-03-17
12
891 Views
Last Modified: 2012-04-04
Hello Experts,

I need a help in this please.

Current environment:

Single AD domain hosted in 2 DCs and 4 exchange servers, all of them are controlled by an IT department which belongs to finance department, another IT department which is for the whole org. is responsible for all other servers and machines in the network.

The problem is all mailboxes and AD object is not controlled by the IT department, I am thinking of a possible solution for that is to create a new domain in the existing forest. then migrate all AD objects except the ones for the finance dept. to this domain.

I need to have control over our objects

Any thoughts ?
0
Comment
Question by:Suliman Abu Kharroub
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 21

Expert Comment

by:dan_blagut
ID: 37734659
Hello

I'm not sure that I understood your question.
The main IT department don't have any domain? How many users are in other department? Why IT-finance manage all Exchange servers?

Dan
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 250 total points
ID: 37734688
You don't have to do that. What you need to do is this:

Create top-level OUs for each IT and Financed-managed users and groups.
Splitting these managed objects into OUs is the same idea so you can delegate the proper permissions for each.  I think you can do the same basic thing with Exchange data stores.

Design and implement your AD security design and OU structure. You also won't need to have the extra costs associated with a new domain: migration, domain controllers, liscensing, management, etc.

The goal of the security design should be to create a delegation model that will be used by each group without using any built-in groups.  An exchange admin should comment on how to delegate, or separate, roles within Exchange.
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 37734689
Yes the IT-Finance manages the AD and exchange.

I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 250 total points
ID: 37734693
This is a business problem not a technical one. You can make an OU structure that works exactly as separate domains do, and I'm pretty sure Exchange can also be segregated for admins as well. You would have to perform a migration to split the domains anyway, and that will prove to be harder than a security redesign project.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 37734875
Domains are not the true security divider, forests are.  To achieve complete separation you would need to setup a new forest and domain. Enable trusts between them and use ADMT to migrate users and computers. That is a lot of work and should be unnecessary.  As has been already suggested, move to an OU model.  Create OUs for each department, move the respective users and computers to those OUs.  Delegate control of those OUs to departmental IT if they have it.  Transfer ownership of the domain controller hardware and licensing from finance to the corporation if necessary to satisfy the companies books.  For Exchange, depending on how you are set up, split the finance users off onto their own Exchange server if they still want email autonomy.  I would however suggest that the company combine all lT personnel in a reorganization. Your company has invented problems.
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 37735787
Thank you guys,, seems that I am going with OU separation option.

I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com).

I know that it a mess, so I am out of ideas.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 37735795
You can only have one Exchange org per domain. So if you go with the OU model, leave Exchange alone.  You can separate users via information store or server, but they have to be in the same org to use the same external domain name.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37736481
Dear,

i do agree with above experts sugegstion.... a simlest way waould be t create one OU named Finance, under that create two OU one for Users and one for finance computers, delegate control of only Finance OU to Finance It team,,, keep remaining domain with you.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 37737463
I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.

This is just silly.  The Domain is created properly,....the IT structure isn't.   Fix the IT structure,...there should never be "two" IT Depts.  Merge them into one.   This cannot come from you it has to come from the company itself.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 37739396
I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com)

A second Exchange is not going to help.   You can't have two Exchange Systems serving the same Public Email Namespace,...unless they are in the same Exchange Org,...which puts them in the same Forest.    Now you might be able to look into the possibility of multiple Domains in the same Forest or maybe a Child Domain situation,...but to me that just sounds uglier and uglier the farther you go with it.

The only real solution is to leave the Domain alone and "Merge the Humans" and create one IT Dept.  The reason that is the real solution is because that is the real problem.  Anything else is just a "band-ade",...and a poor one at that.   I get the impression that this company has all kinds of Management problems,...it would almost have to be to get into a situation like this.
0
 
LVL 23

Author Closing Comment

by:Suliman Abu Kharroub
ID: 37803150
Thanks all,

After a long discussion , I got access and control over all systems.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37808535
Excellent!
Very good.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now