Solved

Forcibly Split AD Domain

Posted on 2014-10-24
6
106 Views
Last Modified: 2014-10-29
Hello,

We currently have an AD domain (2003 functional level) which spans two sites, connected via VPN tunnel.    Site A hosts 6 DCs, including a DC which currently holds all of the FSMO roles.  Site B just a single DC, and several users / clients.  Due to changes in the organization, we need to split these two organizations into separate domains, so that they can be administered independently of one another.  There will be different owners for both domains, which is why we are doing this.

Our current migration plan is to simply kill the VPN tunnel, and seize all of the FSMO roles onto the single DC at site B.  Site A will never know that roles have been seized by the DC at site B, it will only know that the DC at site B is somehow inaccessible.  At site B, we will simply act as if the remaining DC is now the sole DC on the domain.  Essentially, what we're trying to do is a "forced" migration to site B, which will leave us with two identically named domains that can be managed independently.

Are there any caveats to doing it this way, vs. going through the official AD migration process (with ADMT, etc.)?  ADMT seems to be a fairly involved process, and our current plan seems like it would greatly simplify this configuration change.  Any suggestions, or insight as to what we're getting into, is greatly appreciated.
0
Comment
Question by:ClearBlueTechnologies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40402812
Well first off, is exchange configured for this domain at all?

it is certainly the most unconventional plan I have ever heard of and I would not like to be the one who is responsible for either domain in the future.

IF Exchange is involved then you MUST delete exchange completely from one of the two domain.

As you state that site B is just several users and clients, I would STRONGLY advise that you just create a brand new domain for that organisation and export the data from the old site to the new domain.

Your plan is fraught with pitfalls that might not be evident right now but in time to come.....
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40403825
it seems risky to me for site B or for the site whichever you will do in last. for the first half it will not throw any errors but what if it does not allow you to do anything at site B as it has only one DC.
my recommendation would be to demote the dc at site B, break the VPN and create new domain at site B with the same name. You will have to do some extra work with client computers and user accounts but I would strongly recommend not to go with your above plan unless you have a solid rollback plan.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406253
@Neilsr : Luckily Exchange is not present on the domain, so we will have no issues there.  We are relatively pressed for time and resources, which is why we would like to avoid building a new domain and figuring out how to do the full ADMT migration, which we have never done before.

@Paramod Ubhe : We're aware that site B will have issues, but are hoping that seizing all of the FSMO roles and cleaning up the metadata will resolve these issues.  Ultimately, this scenario would be similar to a situation where one or more DCs died and weren't rebuilt.  Assuming it should be possible to recover from that scenario, it seems like this should really be no different.

Does anyone know specifically what type of issues we may encounter if things go wrong?  From my end, it seems like the risks are fairly vague, although I will admit I have not seen many AD failures in the past.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 40406346
at the most you can consider an issue like you don't have any DC at site B, in that case I would recommend to keep a latest backup of DC at site B and be ready to do an authoritative restore and then seize roles so that DC at site B will have all the things required.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40406462
Question:

Will site A and Site B EVER need to communicate with each other in the future?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40406511
@Neilsr : No, complete and permanent organizational separation is the goal here, so there will be no communication with the parent organization in the future.  After we migrate, Site B will be completely cutoff from Site A, because they are essentially different companies at this point.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question