Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What's the best way to split a single domain into 2 separate domains?

Posted on 2015-01-13
10
Medium Priority
?
1,693 Views
Last Modified: 2015-01-14
Our organization currently has a single domain with 4 DC's running Server 2008 R2. We have 2 distinct entities within the organization and are exploring the possibility of splitting off one of those entities onto its own domain. We also use Google Apps for mail, calendar, etc. We would still need a trust between the 2 domains as there are some resources that we share, but not many at all.

It seems a little overwhelming to me given there are so many aspects to an AD environment (GP, DNS, User structure, Groups, etc.). I'm am by no means an AD expert and am trying to get a handle on the work involved here. My initial thought is to hire a consultant to assist.

Is there any sort of documentation out there on best practices and/or a checklist to help better get an idea of what is involved?
0
Comment
Question by:coptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1200 total points
ID: 40546529
You really only have 1 option here.
Build the new Forest root domain and use ADMT to migrate users/computers or any other objects they desire. ADMT also uses SID history so that all of the users in the new domain will be able to access the same files in the old domain.

Take a look at the below link which is the ADMT Guide to walk you through this process.
ADMT Guide

ADMT Download

Will.
0
 
LVL 29

Assisted Solution

by:Dan McFadden
Dan McFadden earned 800 total points
ID: 40546538
First question is:  are there 2 unique IT departments or will you still support both entities?

Based on the above answer, you can determine which design to use.  My suggestions are:

1. Reorganize your OU structure to reflect the entities in the company (Single Forest, Single Domain)
2. Keep your existing domain as the forest root (blank root), build out 2 child domains and migrate the users to the new domains based on entity membership. (Single Forest, Multiple Child Domains)

#1 Is really an OU and GPO migration.  AD Sites remain the same, possible restructure to account for geographical location.  Security management remains the same as it does today.
#2 Depends on budget and time to deploy.  Depending on site structure, the number of users and inter-office connectivity... you will have to determine the number of new DCs to deploy or possibly re-use 2 of your existing domain DCs as new child domain DCs.

To better answer which is best for you, it would be useful to know the following:

1. number of users in each entity
2. number of physical locations the company has
3. how your AD site structure is organized
4. number of AD sites
5. number of datacenters
6. relative connectivity between physical sites (bandwidth & reliability)

Dan
0
 
LVL 1

Author Comment

by:coptechs
ID: 40546662
Dan - 2 unique IT departments
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40546746
@Dan McFadden i agree with you but there is another option
#3 Two forests with one domain in each, this is a complete split.

@coptechs the decision must be based on the management request, then you decide which is the best AD configuration.
Are you spliting the company into two different management and IT departments or you are splitting a division still owned by your company. After the split who sets the IT governance rules? They share the same internet domain?
0
 
LVL 1

Author Comment

by:coptechs
ID: 40547183
Walter-

We don't need a complete split. We do share the same Internet domain, but that is subject to change as well. Still going to be one company w/ 2 IT departments that operate relatively independent of each other but are still related.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40547268
If one of the departments set the IT governance rules and retain the enterprise/domain admin privileges you can go with option #1 ( single forest, single domaIn, two OU's )

If they are independent you can go with option #2 ( Single forest, two domains )
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40547279
There is not much point to separate them unless you want to have separate Default Domain Password policies/group policies etc.

As stated this can all be achieved by ACL on specific OU's. You may be creating more work for yourself then you need to. Just also take into consideration when you have a single forest and multiple child domains you start to make the AD environment much more complex this goes with other planning in regards to Exchange, Lync System Center etc.

Take that in to consideration as well.

Will.
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547699
You can have a separate password policies if you like, as long as your functional level is 2008 R2.  I would do what Dan said, and just setup delegation on the OU's for each IT department, so they manage only their own OU branch.  One consideration is the root level, as any GPO's applied at root will be applied to child OU's unless you block inheritance.  Also the question comes up as who controls the domain and not just a child OU.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40548391
After reading thru the additional comments, I would go in the direct of the first scenario, OU and GPO migration in a Single Forest, Single Domain.

Unless there is some extreme need for each IT team to have ultimate control over their respective domain, the 2 company entities can be reorganized by redesigning your OU structure.  This allows you to keep the existing domain infrastructure, keeps costs to a minimum and can be done in place while operations go on.  After the new OU structure is setup and functioning in place, you can deploy your GPOs and test them (with dummy accounts).

Once everything is satisfactorily completed, I would move a small number of users from each entities over and work out any additional kinks.  Once the live test phase is ID'ed as complete, then the wholesale migration begins.

One other thing, politics!  I would have a sit down with both IT teams and whatever management people are necessary and have a pow-wow over the top level AD domain.  My suggestion is to designate a tightly controlled change process for any top level (outside your operations OU) modifications.  Also, to designate 1 senior/lead admin, from each team, to have the responsibility and permissions to make the changes.  I would also stress the fact that uncoordinated change can and most likely will, have a potentially negative affect on the other entity's OU if the change and its effects are not discussed and made in a proper manner.

All of the experts that commented here have covered additional details that I may have overlooked.

Dan
0
 
LVL 1

Author Closing Comment

by:coptechs
ID: 40549333
Thank you both for all the info. I am currently reviewing the ADMT guide.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question