?
Solved

What's the best way to split a single domain into 2 separate domains?

Posted on 2015-01-13
10
Medium Priority
?
1,462 Views
Last Modified: 2015-01-14
Our organization currently has a single domain with 4 DC's running Server 2008 R2. We have 2 distinct entities within the organization and are exploring the possibility of splitting off one of those entities onto its own domain. We also use Google Apps for mail, calendar, etc. We would still need a trust between the 2 domains as there are some resources that we share, but not many at all.

It seems a little overwhelming to me given there are so many aspects to an AD environment (GP, DNS, User structure, Groups, etc.). I'm am by no means an AD expert and am trying to get a handle on the work involved here. My initial thought is to hire a consultant to assist.

Is there any sort of documentation out there on best practices and/or a checklist to help better get an idea of what is involved?
0
Comment
Question by:coptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1200 total points
ID: 40546529
You really only have 1 option here.
Build the new Forest root domain and use ADMT to migrate users/computers or any other objects they desire. ADMT also uses SID history so that all of the users in the new domain will be able to access the same files in the old domain.

Take a look at the below link which is the ADMT Guide to walk you through this process.
ADMT Guide

ADMT Download

Will.
0
 
LVL 28

Assisted Solution

by:Dan McFadden
Dan McFadden earned 800 total points
ID: 40546538
First question is:  are there 2 unique IT departments or will you still support both entities?

Based on the above answer, you can determine which design to use.  My suggestions are:

1. Reorganize your OU structure to reflect the entities in the company (Single Forest, Single Domain)
2. Keep your existing domain as the forest root (blank root), build out 2 child domains and migrate the users to the new domains based on entity membership. (Single Forest, Multiple Child Domains)

#1 Is really an OU and GPO migration.  AD Sites remain the same, possible restructure to account for geographical location.  Security management remains the same as it does today.
#2 Depends on budget and time to deploy.  Depending on site structure, the number of users and inter-office connectivity... you will have to determine the number of new DCs to deploy or possibly re-use 2 of your existing domain DCs as new child domain DCs.

To better answer which is best for you, it would be useful to know the following:

1. number of users in each entity
2. number of physical locations the company has
3. how your AD site structure is organized
4. number of AD sites
5. number of datacenters
6. relative connectivity between physical sites (bandwidth & reliability)

Dan
0
 
LVL 1

Author Comment

by:coptechs
ID: 40546662
Dan - 2 unique IT departments
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40546746
@Dan McFadden i agree with you but there is another option
#3 Two forests with one domain in each, this is a complete split.

@coptechs the decision must be based on the management request, then you decide which is the best AD configuration.
Are you spliting the company into two different management and IT departments or you are splitting a division still owned by your company. After the split who sets the IT governance rules? They share the same internet domain?
0
 
LVL 1

Author Comment

by:coptechs
ID: 40547183
Walter-

We don't need a complete split. We do share the same Internet domain, but that is subject to change as well. Still going to be one company w/ 2 IT departments that operate relatively independent of each other but are still related.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40547268
If one of the departments set the IT governance rules and retain the enterprise/domain admin privileges you can go with option #1 ( single forest, single domaIn, two OU's )

If they are independent you can go with option #2 ( Single forest, two domains )
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40547279
There is not much point to separate them unless you want to have separate Default Domain Password policies/group policies etc.

As stated this can all be achieved by ACL on specific OU's. You may be creating more work for yourself then you need to. Just also take into consideration when you have a single forest and multiple child domains you start to make the AD environment much more complex this goes with other planning in regards to Exchange, Lync System Center etc.

Take that in to consideration as well.

Will.
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547699
You can have a separate password policies if you like, as long as your functional level is 2008 R2.  I would do what Dan said, and just setup delegation on the OU's for each IT department, so they manage only their own OU branch.  One consideration is the root level, as any GPO's applied at root will be applied to child OU's unless you block inheritance.  Also the question comes up as who controls the domain and not just a child OU.
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40548391
After reading thru the additional comments, I would go in the direct of the first scenario, OU and GPO migration in a Single Forest, Single Domain.

Unless there is some extreme need for each IT team to have ultimate control over their respective domain, the 2 company entities can be reorganized by redesigning your OU structure.  This allows you to keep the existing domain infrastructure, keeps costs to a minimum and can be done in place while operations go on.  After the new OU structure is setup and functioning in place, you can deploy your GPOs and test them (with dummy accounts).

Once everything is satisfactorily completed, I would move a small number of users from each entities over and work out any additional kinks.  Once the live test phase is ID'ed as complete, then the wholesale migration begins.

One other thing, politics!  I would have a sit down with both IT teams and whatever management people are necessary and have a pow-wow over the top level AD domain.  My suggestion is to designate a tightly controlled change process for any top level (outside your operations OU) modifications.  Also, to designate 1 senior/lead admin, from each team, to have the responsibility and permissions to make the changes.  I would also stress the fact that uncoordinated change can and most likely will, have a potentially negative affect on the other entity's OU if the change and its effects are not discussed and made in a proper manner.

All of the experts that commented here have covered additional details that I may have overlooked.

Dan
0
 
LVL 1

Author Closing Comment

by:coptechs
ID: 40549333
Thank you both for all the info. I am currently reviewing the ADMT guide.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question