Forcibly Split AD Domain

Hello,

We currently have an AD domain (2003 functional level) which spans two sites, connected via VPN tunnel.    Site A hosts 6 DCs, including a DC which currently holds all of the FSMO roles.  Site B just a single DC, and several users / clients.  Due to changes in the organization, we need to split these two organizations into separate domains, so that they can be administered independently of one another.  There will be different owners for both domains, which is why we are doing this.

Our current migration plan is to simply kill the VPN tunnel, and seize all of the FSMO roles onto the single DC at site B.  Site A will never know that roles have been seized by the DC at site B, it will only know that the DC at site B is somehow inaccessible.  At site B, we will simply act as if the remaining DC is now the sole DC on the domain.  Essentially, what we're trying to do is a "forced" migration to site B, which will leave us with two identically named domains that can be managed independently.

Are there any caveats to doing it this way, vs. going through the official AD migration process (with ADMT, etc.)?  ADMT seems to be a fairly involved process, and our current plan seems like it would greatly simplify this configuration change.  Any suggestions, or insight as to what we're getting into, is greatly appreciated.
LVL 1
ClearBlueTechnologiesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
Well first off, is exchange configured for this domain at all?

it is certainly the most unconventional plan I have ever heard of and I would not like to be the one who is responsible for either domain in the future.

IF Exchange is involved then you MUST delete exchange completely from one of the two domain.

As you state that site B is just several users and clients, I would STRONGLY advise that you just create a brand new domain for that organisation and export the data from the old site to the new domain.

Your plan is fraught with pitfalls that might not be evident right now but in time to come.....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pramod UbheCommented:
it seems risky to me for site B or for the site whichever you will do in last. for the first half it will not throw any errors but what if it does not allow you to do anything at site B as it has only one DC.
my recommendation would be to demote the dc at site B, break the VPN and create new domain at site B with the same name. You will have to do some extra work with client computers and user accounts but I would strongly recommend not to go with your above plan unless you have a solid rollback plan.
0
ClearBlueTechnologiesAuthor Commented:
@Neilsr : Luckily Exchange is not present on the domain, so we will have no issues there.  We are relatively pressed for time and resources, which is why we would like to avoid building a new domain and figuring out how to do the full ADMT migration, which we have never done before.

@Paramod Ubhe : We're aware that site B will have issues, but are hoping that seizing all of the FSMO roles and cleaning up the metadata will resolve these issues.  Ultimately, this scenario would be similar to a situation where one or more DCs died and weren't rebuilt.  Assuming it should be possible to recover from that scenario, it seems like this should really be no different.

Does anyone know specifically what type of issues we may encounter if things go wrong?  From my end, it seems like the risks are fairly vague, although I will admit I have not seen many AD failures in the past.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Pramod UbheCommented:
at the most you can consider an issue like you don't have any DC at site B, in that case I would recommend to keep a latest backup of DC at site B and be ready to do an authoritative restore and then seize roles so that DC at site B will have all the things required.
0
Neil RussellTechnical Development LeadCommented:
Question:

Will site A and Site B EVER need to communicate with each other in the future?
0
ClearBlueTechnologiesAuthor Commented:
@Neilsr : No, complete and permanent organizational separation is the goal here, so there will be no communication with the parent organization in the future.  After we migrate, Site B will be completely cutoff from Site A, because they are essentially different companies at this point.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.