Solved

Forcibly Split AD Domain

Posted on 2014-10-24
6
102 Views
Last Modified: 2014-10-29
Hello,

We currently have an AD domain (2003 functional level) which spans two sites, connected via VPN tunnel.    Site A hosts 6 DCs, including a DC which currently holds all of the FSMO roles.  Site B just a single DC, and several users / clients.  Due to changes in the organization, we need to split these two organizations into separate domains, so that they can be administered independently of one another.  There will be different owners for both domains, which is why we are doing this.

Our current migration plan is to simply kill the VPN tunnel, and seize all of the FSMO roles onto the single DC at site B.  Site A will never know that roles have been seized by the DC at site B, it will only know that the DC at site B is somehow inaccessible.  At site B, we will simply act as if the remaining DC is now the sole DC on the domain.  Essentially, what we're trying to do is a "forced" migration to site B, which will leave us with two identically named domains that can be managed independently.

Are there any caveats to doing it this way, vs. going through the official AD migration process (with ADMT, etc.)?  ADMT seems to be a fairly involved process, and our current plan seems like it would greatly simplify this configuration change.  Any suggestions, or insight as to what we're getting into, is greatly appreciated.
0
Comment
Question by:ClearBlueTechnologies
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40402812
Well first off, is exchange configured for this domain at all?

it is certainly the most unconventional plan I have ever heard of and I would not like to be the one who is responsible for either domain in the future.

IF Exchange is involved then you MUST delete exchange completely from one of the two domain.

As you state that site B is just several users and clients, I would STRONGLY advise that you just create a brand new domain for that organisation and export the data from the old site to the new domain.

Your plan is fraught with pitfalls that might not be evident right now but in time to come.....
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40403825
it seems risky to me for site B or for the site whichever you will do in last. for the first half it will not throw any errors but what if it does not allow you to do anything at site B as it has only one DC.
my recommendation would be to demote the dc at site B, break the VPN and create new domain at site B with the same name. You will have to do some extra work with client computers and user accounts but I would strongly recommend not to go with your above plan unless you have a solid rollback plan.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406253
@Neilsr : Luckily Exchange is not present on the domain, so we will have no issues there.  We are relatively pressed for time and resources, which is why we would like to avoid building a new domain and figuring out how to do the full ADMT migration, which we have never done before.

@Paramod Ubhe : We're aware that site B will have issues, but are hoping that seizing all of the FSMO roles and cleaning up the metadata will resolve these issues.  Ultimately, this scenario would be similar to a situation where one or more DCs died and weren't rebuilt.  Assuming it should be possible to recover from that scenario, it seems like this should really be no different.

Does anyone know specifically what type of issues we may encounter if things go wrong?  From my end, it seems like the risks are fairly vague, although I will admit I have not seen many AD failures in the past.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 40406346
at the most you can consider an issue like you don't have any DC at site B, in that case I would recommend to keep a latest backup of DC at site B and be ready to do an authoritative restore and then seize roles so that DC at site B will have all the things required.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40406462
Question:

Will site A and Site B EVER need to communicate with each other in the future?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406511
@Neilsr : No, complete and permanent organizational separation is the goal here, so there will be no communication with the parent organization in the future.  After we migrate, Site B will be completely cutoff from Site A, because they are essentially different companies at this point.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now