Solved

Forcibly Split AD Domain

Posted on 2014-10-24
6
108 Views
Last Modified: 2014-10-29
Hello,

We currently have an AD domain (2003 functional level) which spans two sites, connected via VPN tunnel.    Site A hosts 6 DCs, including a DC which currently holds all of the FSMO roles.  Site B just a single DC, and several users / clients.  Due to changes in the organization, we need to split these two organizations into separate domains, so that they can be administered independently of one another.  There will be different owners for both domains, which is why we are doing this.

Our current migration plan is to simply kill the VPN tunnel, and seize all of the FSMO roles onto the single DC at site B.  Site A will never know that roles have been seized by the DC at site B, it will only know that the DC at site B is somehow inaccessible.  At site B, we will simply act as if the remaining DC is now the sole DC on the domain.  Essentially, what we're trying to do is a "forced" migration to site B, which will leave us with two identically named domains that can be managed independently.

Are there any caveats to doing it this way, vs. going through the official AD migration process (with ADMT, etc.)?  ADMT seems to be a fairly involved process, and our current plan seems like it would greatly simplify this configuration change.  Any suggestions, or insight as to what we're getting into, is greatly appreciated.
0
Comment
Question by:ClearBlueTechnologies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40402812
Well first off, is exchange configured for this domain at all?

it is certainly the most unconventional plan I have ever heard of and I would not like to be the one who is responsible for either domain in the future.

IF Exchange is involved then you MUST delete exchange completely from one of the two domain.

As you state that site B is just several users and clients, I would STRONGLY advise that you just create a brand new domain for that organisation and export the data from the old site to the new domain.

Your plan is fraught with pitfalls that might not be evident right now but in time to come.....
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40403825
it seems risky to me for site B or for the site whichever you will do in last. for the first half it will not throw any errors but what if it does not allow you to do anything at site B as it has only one DC.
my recommendation would be to demote the dc at site B, break the VPN and create new domain at site B with the same name. You will have to do some extra work with client computers and user accounts but I would strongly recommend not to go with your above plan unless you have a solid rollback plan.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406253
@Neilsr : Luckily Exchange is not present on the domain, so we will have no issues there.  We are relatively pressed for time and resources, which is why we would like to avoid building a new domain and figuring out how to do the full ADMT migration, which we have never done before.

@Paramod Ubhe : We're aware that site B will have issues, but are hoping that seizing all of the FSMO roles and cleaning up the metadata will resolve these issues.  Ultimately, this scenario would be similar to a situation where one or more DCs died and weren't rebuilt.  Assuming it should be possible to recover from that scenario, it seems like this should really be no different.

Does anyone know specifically what type of issues we may encounter if things go wrong?  From my end, it seems like the risks are fairly vague, although I will admit I have not seen many AD failures in the past.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 40406346
at the most you can consider an issue like you don't have any DC at site B, in that case I would recommend to keep a latest backup of DC at site B and be ready to do an authoritative restore and then seize roles so that DC at site B will have all the things required.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40406462
Question:

Will site A and Site B EVER need to communicate with each other in the future?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406511
@Neilsr : No, complete and permanent organizational separation is the goal here, so there will be no communication with the parent organization in the future.  After we migrate, Site B will be completely cutoff from Site A, because they are essentially different companies at this point.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question