Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Forcibly Split AD Domain

Posted on 2014-10-24
6
Medium Priority
?
111 Views
Last Modified: 2014-10-29
Hello,

We currently have an AD domain (2003 functional level) which spans two sites, connected via VPN tunnel.    Site A hosts 6 DCs, including a DC which currently holds all of the FSMO roles.  Site B just a single DC, and several users / clients.  Due to changes in the organization, we need to split these two organizations into separate domains, so that they can be administered independently of one another.  There will be different owners for both domains, which is why we are doing this.

Our current migration plan is to simply kill the VPN tunnel, and seize all of the FSMO roles onto the single DC at site B.  Site A will never know that roles have been seized by the DC at site B, it will only know that the DC at site B is somehow inaccessible.  At site B, we will simply act as if the remaining DC is now the sole DC on the domain.  Essentially, what we're trying to do is a "forced" migration to site B, which will leave us with two identically named domains that can be managed independently.

Are there any caveats to doing it this way, vs. going through the official AD migration process (with ADMT, etc.)?  ADMT seems to be a fairly involved process, and our current plan seems like it would greatly simplify this configuration change.  Any suggestions, or insight as to what we're getting into, is greatly appreciated.
0
Comment
Question by:ClearBlueTechnologies
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 750 total points
ID: 40402812
Well first off, is exchange configured for this domain at all?

it is certainly the most unconventional plan I have ever heard of and I would not like to be the one who is responsible for either domain in the future.

IF Exchange is involved then you MUST delete exchange completely from one of the two domain.

As you state that site B is just several users and clients, I would STRONGLY advise that you just create a brand new domain for that organisation and export the data from the old site to the new domain.

Your plan is fraught with pitfalls that might not be evident right now but in time to come.....
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40403825
it seems risky to me for site B or for the site whichever you will do in last. for the first half it will not throw any errors but what if it does not allow you to do anything at site B as it has only one DC.
my recommendation would be to demote the dc at site B, break the VPN and create new domain at site B with the same name. You will have to do some extra work with client computers and user accounts but I would strongly recommend not to go with your above plan unless you have a solid rollback plan.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406253
@Neilsr : Luckily Exchange is not present on the domain, so we will have no issues there.  We are relatively pressed for time and resources, which is why we would like to avoid building a new domain and figuring out how to do the full ADMT migration, which we have never done before.

@Paramod Ubhe : We're aware that site B will have issues, but are hoping that seizing all of the FSMO roles and cleaning up the metadata will resolve these issues.  Ultimately, this scenario would be similar to a situation where one or more DCs died and weren't rebuilt.  Assuming it should be possible to recover from that scenario, it seems like this should really be no different.

Does anyone know specifically what type of issues we may encounter if things go wrong?  From my end, it seems like the risks are fairly vague, although I will admit I have not seen many AD failures in the past.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 750 total points
ID: 40406346
at the most you can consider an issue like you don't have any DC at site B, in that case I would recommend to keep a latest backup of DC at site B and be ready to do an authoritative restore and then seize roles so that DC at site B will have all the things required.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40406462
Question:

Will site A and Site B EVER need to communicate with each other in the future?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406511
@Neilsr : No, complete and permanent organizational separation is the goal here, so there will be no communication with the parent organization in the future.  After we migrate, Site B will be completely cutoff from Site A, because they are essentially different companies at this point.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question