Divide the existing active directory domain into two separate domains

Hello Experts,

I need a help in this please.

Current environment:

Single AD domain hosted in 2 DCs and 4 exchange servers, all of them are controlled by an IT department which belongs to finance department, another IT department which is for the whole org. is responsible for all other servers and machines in the network.

The problem is all mailboxes and AD object is not controlled by the IT department, I am thinking of a possible solution for that is to create a new domain in the existing forest. then migrate all AD objects except the ones for the finance dept. to this domain.

I need to have control over our objects

Any thoughts ?
LVL 23
Suliman Abu KharroubIT Consultant Asked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com)

A second Exchange is not going to help.   You can't have two Exchange Systems serving the same Public Email Namespace,...unless they are in the same Exchange Org,...which puts them in the same Forest.    Now you might be able to look into the possibility of multiple Domains in the same Forest or maybe a Child Domain situation,...but to me that just sounds uglier and uglier the farther you go with it.

The only real solution is to leave the Domain alone and "Merge the Humans" and create one IT Dept.  The reason that is the real solution is because that is the real problem.  Anything else is just a "band-ade",...and a poor one at that.   I get the impression that this company has all kinds of Management problems,...it would almost have to be to get into a situation like this.
0
 
dan_blagutCommented:
Hello

I'm not sure that I understood your question.
The main IT department don't have any domain? How many users are in other department? Why IT-finance manage all Exchange servers?

Dan
0
 
Tony MassaConnect With a Mentor Commented:
You don't have to do that. What you need to do is this:

Create top-level OUs for each IT and Financed-managed users and groups.
Splitting these managed objects into OUs is the same idea so you can delegate the proper permissions for each.  I think you can do the same basic thing with Exchange data stores.

Design and implement your AD security design and OU structure. You also won't need to have the extra costs associated with a new domain: migration, domain controllers, liscensing, management, etc.

The goal of the security design should be to create a delegation model that will be used by each group without using any built-in groups.  An exchange admin should comment on how to delegate, or separate, roles within Exchange.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Suliman Abu KharroubIT Consultant Author Commented:
Yes the IT-Finance manages the AD and exchange.

I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.
0
 
Tony MassaConnect With a Mentor Commented:
This is a business problem not a technical one. You can make an OU structure that works exactly as separate domains do, and I'm pretty sure Exchange can also be segregated for admins as well. You would have to perform a migration to split the domains anyway, and that will prove to be harder than a security redesign project.
0
 
markdmacCommented:
Domains are not the true security divider, forests are.  To achieve complete separation you would need to setup a new forest and domain. Enable trusts between them and use ADMT to migrate users and computers. That is a lot of work and should be unnecessary.  As has been already suggested, move to an OU model.  Create OUs for each department, move the respective users and computers to those OUs.  Delegate control of those OUs to departmental IT if they have it.  Transfer ownership of the domain controller hardware and licensing from finance to the corporation if necessary to satisfy the companies books.  For Exchange, depending on how you are set up, split the finance users off onto their own Exchange server if they still want email autonomy.  I would however suggest that the company combine all lT personnel in a reorganization. Your company has invented problems.
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Thank you guys,, seems that I am going with OU separation option.

I am just thinking how could exchange be designed in the second option (new domain) ? does a new exchange server needed knowing that both AD domains should have the same external domain name ( company.com).

I know that it a mess, so I am out of ideas.
0
 
markdmacCommented:
You can only have one Exchange org per domain. So if you go with the OU model, leave Exchange alone.  You can separate users via information store or server, but they have to be in the same org to use the same external domain name.
0
 
Syed_M_UsmanSystem AdministratorCommented:
Dear,

i do agree with above experts sugegstion.... a simlest way waould be t create one OU named Finance, under that create two OU one for Users and one for finance computers, delegate control of only Finance OU to Finance It team,,, keep remaining domain with you.
0
 
pwindellConnect With a Mentor Commented:
I am new admin in the company, I came and found it like this :S can't find any reason to make the AD design like this. I am trying to find out a way to create an AD domain for the real IT dept.

This is just silly.  The Domain is created properly,....the IT structure isn't.   Fix the IT structure,...there should never be "two" IT Depts.  Merge them into one.   This cannot come from you it has to come from the company itself.
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Thanks all,

After a long discussion , I got access and control over all systems.
0
 
pwindellCommented:
Excellent!
Very good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.