Collapsing Active Directory

Posted on 2012-03-20
Last Modified: 2012-06-21
Good Afternoon,
Our company has elected to do away with Active Directory and Exchange in favour of a federated infrastructure that more readily allows for BYOD, scalability and private cloud.

Not being an AD expert, I'd like to get advice on how to best collapse the system.

Thanks in advance.
Question by:IanGP
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 30

Expert Comment

ID: 37743017
I dont think you will be getting rid of ad just yet

your basically talking of something like google cloud connect but that will not help with byod
to use byod you will still need things like group policy unless your happy for virus's to get onto your servers as byod devices can be a source

for exchange you talking about google apps ?


you wont be the first one lol m$ is loosing out to google but they are fighting back imho
LVL 30

Expert Comment

ID: 37743022
private cloud means vmware vcloud director are you going to own the servers and storge for a private cloud and use it locally
LVL 57

Expert Comment

by:Mike Kline
ID: 37743314
Have you looked into office 365?   You can put it all in the cloud or do a mix with onprem or the cloud (adfs and dirsync come into play)


Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.


Expert Comment

ID: 37743794
Depends on what you mean by 'collapse the system' and your configuration.  Do you have a wide-spread infrastructure?  Lots of locations with a server or two?  I'm assuming you want to consolidate, decommission, and/or re-allocate as your get rid of your domain.

You'll want to make sure you have at least two Domain Controllers running to support Exchange until the very last mailbox is gone and you're ready to shut it down.  Technically only one is needed but if it crashes, you're going to hate life so keep two active.

I can provide more details as I have a better understanding of how things are and what you intend on 'collapsing'.  Tossing AD is a huge step.  Much harder than not using it in the first place, so be prepared for a long project.

Author Comment

ID: 37751054
Thanks Kollenh.

I will be removing AD altogether. And yes, we will be consolidating as we remove AD.

Our infrastructure lies across 2 sites; Head Office and data centre. We are moving email over to Gmail and will make use of cloud storage for file sharing.


Author Comment

ID: 37776186
@mkline71 - Yes, we have looked at Office365, but it does not provide the device/OS independence tthat we are looking for.

@IanTH - The plan is to do away with all servers that we own directly and make use of 3rd party infrastructure. For example, our busines is about web and app dev, we don't want to 'waste time' on non-core business functions, but rather leave that to the infrastructure experts. We will put a security 'shell' around our servers and allow access from any device/OS provided credentials are valid.

I think we digress here.
With regards to collapsing AD, I foresee the following approach:
1) Set up local accounts for all users
2) Detach laptop/Desktop from AD
3) Break down all security groups
4) Decommission Exchange
5) Change system accounts (for websites, ticketing systems etc)
6) Decommission internal DNS structure

Thanks for the input thus far.

Accepted Solution

kollenh earned 500 total points
ID: 37779358

I think your approach plan is solid.  I'm sure you'll find additional problems as you go along but the order seems appropriate.

As a side-note, you can redirect the local user accounts to use the same 'profile' as the domain accounts.  I think you'll find that will ease the migration process.  Once you've create the local account and logged onto the system with it, edit the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\{UserAccount-GUID}\ProfileImagePath

Open in new window

Also, make sure that your Domain Controllers are the very last computer you decommission.  Once you think it's no longer needed, shut it down for a week or two, just to make sure nothing pops up.


Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question