?
Solved

Divide the existing active directory domain into two separate domains

Posted on 2012-03-17
12
Medium Priority
?
930 Views
Last Modified: 2012-04-04
Hello Experts,

I need a help in this please.

Current environment:

Single AD domain hosted in 2 DCs and 4 exchange servers, all of them are controlled by an IT department which belongs to finance department, another IT department which is for the whole org. is responsible for all other servers and machines in the network.

The problem is all mailboxes and AD object is not controlled by the IT department, I am thinking of a possible solution for that is to create a new domain in the existing forest. then migrate all AD objects except the ones for the finance dept. to this domain.

I need to have control over our objects

Any thoughts ?
0
Comment
Question by:Suliman Abu Kharroub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 22

Expert Comment

by:dan_blagut
ID: 37734659
Hello

I'm not sure that I understood your question.
The main IT department don't have any domain? How many users are in other department? Why IT-finance manage all Exchange servers?

Dan
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 1000 total points
ID: 37734688
You don't have to do that. What you need to do is this:

Create top-level OUs for each IT and Financed-managed users and groups.
Splitting these managed objects into OUs is the same idea so you can delegate the proper permissions for each.  I think you can do the same basic thing with Exchange data stores.

Design and implement your AD security design and OU structure. You also won't need to have the extra costs associated with a new domain: migration, domain controllers, liscensing, management, etc.

The goal of the security design should be to create a delegation model that will be used by each group without using any built-in groups.  An exchange admin should comment on how to delegate, or separate, roles within Exchange.
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 37734689
Yes the IT-Finance manages the AD and exchange.

I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 1000 total points
ID: 37734693
This is a business problem not a technical one. You can make an OU structure that works exactly as separate domains do, and I'm pretty sure Exchange can also be segregated for admins as well. You would have to perform a migration to split the domains anyway, and that will prove to be harder than a security redesign project.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 37734875
Domains are not the true security divider, forests are.  To achieve complete separation you would need to setup a new forest and domain. Enable trusts between them and use ADMT to migrate users and computers. That is a lot of work and should be unnecessary.  As has been already suggested, move to an OU model.  Create OUs for each department, move the respective users and computers to those OUs.  Delegate control of those OUs to departmental IT if they have it.  Transfer ownership of the domain controller hardware and licensing from finance to the corporation if necessary to satisfy the companies books.  For Exchange, depending on how you are set up, split the finance users off onto their own Exchange server if they still want email autonomy.  I would however suggest that the company combine all lT personnel in a reorganization. Your company has invented problems.
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 37735787
Thank you guys,, seems that I am going with OU separation option.

I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com).

I know that it a mess, so I am out of ideas.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 37735795
You can only have one Exchange org per domain. So if you go with the OU model, leave Exchange alone.  You can separate users via information store or server, but they have to be in the same org to use the same external domain name.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37736481
Dear,

i do agree with above experts sugegstion.... a simlest way waould be t create one OU named Finance, under that create two OU one for Users and one for finance computers, delegate control of only Finance OU to Finance It team,,, keep remaining domain with you.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 37737463
I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.

This is just silly.  The Domain is created properly,....the IT structure isn't.   Fix the IT structure,...there should never be "two" IT Depts.  Merge them into one.   This cannot come from you it has to come from the company itself.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1000 total points
ID: 37739396
I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com)

A second Exchange is not going to help.   You can't have two Exchange Systems serving the same Public Email Namespace,...unless they are in the same Exchange Org,...which puts them in the same Forest.    Now you might be able to look into the possibility of multiple Domains in the same Forest or maybe a Child Domain situation,...but to me that just sounds uglier and uglier the farther you go with it.

The only real solution is to leave the Domain alone and "Merge the Humans" and create one IT Dept.  The reason that is the real solution is because that is the real problem.  Anything else is just a "band-ade",...and a poor one at that.   I get the impression that this company has all kinds of Management problems,...it would almost have to be to get into a situation like this.
0
 
LVL 23

Author Closing Comment

by:Suliman Abu Kharroub
ID: 37803150
Thanks all,

After a long discussion , I got access and control over all systems.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37808535
Excellent!
Very good.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question