Collapsing Active Directory

Posted on 2012-03-20
Last Modified: 2012-06-21
Good Afternoon,
Our company has elected to do away with Active Directory and Exchange in favour of a federated infrastructure that more readily allows for BYOD, scalability and private cloud.

Not being an AD expert, I'd like to get advice on how to best collapse the system.

Thanks in advance.
Question by:IanGP
  • 2
  • 2
  • 2
  • +1
LVL 30

Expert Comment

ID: 37743017
I dont think you will be getting rid of ad just yet

your basically talking of something like google cloud connect but that will not help with byod
to use byod you will still need things like group policy unless your happy for virus's to get onto your servers as byod devices can be a source

for exchange you talking about google apps ?


you wont be the first one lol m$ is loosing out to google but they are fighting back imho
LVL 30

Expert Comment

ID: 37743022
private cloud means vmware vcloud director are you going to own the servers and storge for a private cloud and use it locally
LVL 57

Expert Comment

by:Mike Kline
ID: 37743314
Have you looked into office 365?   You can put it all in the cloud or do a mix with onprem or the cloud (adfs and dirsync come into play)


Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Expert Comment

ID: 37743794
Depends on what you mean by 'collapse the system' and your configuration.  Do you have a wide-spread infrastructure?  Lots of locations with a server or two?  I'm assuming you want to consolidate, decommission, and/or re-allocate as your get rid of your domain.

You'll want to make sure you have at least two Domain Controllers running to support Exchange until the very last mailbox is gone and you're ready to shut it down.  Technically only one is needed but if it crashes, you're going to hate life so keep two active.

I can provide more details as I have a better understanding of how things are and what you intend on 'collapsing'.  Tossing AD is a huge step.  Much harder than not using it in the first place, so be prepared for a long project.

Author Comment

ID: 37751054
Thanks Kollenh.

I will be removing AD altogether. And yes, we will be consolidating as we remove AD.

Our infrastructure lies across 2 sites; Head Office and data centre. We are moving email over to Gmail and will make use of cloud storage for file sharing.


Author Comment

ID: 37776186
@mkline71 - Yes, we have looked at Office365, but it does not provide the device/OS independence tthat we are looking for.

@IanTH - The plan is to do away with all servers that we own directly and make use of 3rd party infrastructure. For example, our busines is about web and app dev, we don't want to 'waste time' on non-core business functions, but rather leave that to the infrastructure experts. We will put a security 'shell' around our servers and allow access from any device/OS provided credentials are valid.

I think we digress here.
With regards to collapsing AD, I foresee the following approach:
1) Set up local accounts for all users
2) Detach laptop/Desktop from AD
3) Break down all security groups
4) Decommission Exchange
5) Change system accounts (for websites, ticketing systems etc)
6) Decommission internal DNS structure

Thanks for the input thus far.

Accepted Solution

kollenh earned 500 total points
ID: 37779358

I think your approach plan is solid.  I'm sure you'll find additional problems as you go along but the order seems appropriate.

As a side-note, you can redirect the local user accounts to use the same 'profile' as the domain accounts.  I think you'll find that will ease the migration process.  Once you've create the local account and logged onto the system with it, edit the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\{UserAccount-GUID}\ProfileImagePath

Open in new window

Also, make sure that your Domain Controllers are the very last computer you decommission.  Once you think it's no longer needed, shut it down for a week or two, just to make sure nothing pops up.


Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question