Solved

What's the best way to split a single domain into 2 separate domains?

Posted on 2015-01-13
10
785 Views
Last Modified: 2015-01-14
Our organization currently has a single domain with 4 DC's running Server 2008 R2. We have 2 distinct entities within the organization and are exploring the possibility of splitting off one of those entities onto its own domain. We also use Google Apps for mail, calendar, etc. We would still need a trust between the 2 domains as there are some resources that we share, but not many at all.

It seems a little overwhelming to me given there are so many aspects to an AD environment (GP, DNS, User structure, Groups, etc.). I'm am by no means an AD expert and am trying to get a handle on the work involved here. My initial thought is to hire a consultant to assist.

Is there any sort of documentation out there on best practices and/or a checklist to help better get an idea of what is involved?
0
Comment
Question by:coptechs
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 300 total points
Comment Utility
You really only have 1 option here.
Build the new Forest root domain and use ADMT to migrate users/computers or any other objects they desire. ADMT also uses SID history so that all of the users in the new domain will be able to access the same files in the old domain.

Take a look at the below link which is the ADMT Guide to walk you through this process.
ADMT Guide

ADMT Download

Will.
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 200 total points
Comment Utility
First question is:  are there 2 unique IT departments or will you still support both entities?

Based on the above answer, you can determine which design to use.  My suggestions are:

1. Reorganize your OU structure to reflect the entities in the company (Single Forest, Single Domain)
2. Keep your existing domain as the forest root (blank root), build out 2 child domains and migrate the users to the new domains based on entity membership. (Single Forest, Multiple Child Domains)

#1 Is really an OU and GPO migration.  AD Sites remain the same, possible restructure to account for geographical location.  Security management remains the same as it does today.
#2 Depends on budget and time to deploy.  Depending on site structure, the number of users and inter-office connectivity... you will have to determine the number of new DCs to deploy or possibly re-use 2 of your existing domain DCs as new child domain DCs.

To better answer which is best for you, it would be useful to know the following:

1. number of users in each entity
2. number of physical locations the company has
3. how your AD site structure is organized
4. number of AD sites
5. number of datacenters
6. relative connectivity between physical sites (bandwidth & reliability)

Dan
0
 
LVL 1

Author Comment

by:coptechs
Comment Utility
Dan - 2 unique IT departments
0
 
LVL 10

Expert Comment

by:Walter Padrón
Comment Utility
@Dan McFadden i agree with you but there is another option
#3 Two forests with one domain in each, this is a complete split.

@coptechs the decision must be based on the management request, then you decide which is the best AD configuration.
Are you spliting the company into two different management and IT departments or you are splitting a division still owned by your company. After the split who sets the IT governance rules? They share the same internet domain?
0
 
LVL 1

Author Comment

by:coptechs
Comment Utility
Walter-

We don't need a complete split. We do share the same Internet domain, but that is subject to change as well. Still going to be one company w/ 2 IT departments that operate relatively independent of each other but are still related.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:Walter Padrón
Comment Utility
If one of the departments set the IT governance rules and retain the enterprise/domain admin privileges you can go with option #1 ( single forest, single domaIn, two OU's )

If they are independent you can go with option #2 ( Single forest, two domains )
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
There is not much point to separate them unless you want to have separate Default Domain Password policies/group policies etc.

As stated this can all be achieved by ACL on specific OU's. You may be creating more work for yourself then you need to. Just also take into consideration when you have a single forest and multiple child domains you start to make the AD environment much more complex this goes with other planning in regards to Exchange, Lync System Center etc.

Take that in to consideration as well.

Will.
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
Comment Utility
You can have a separate password policies if you like, as long as your functional level is 2008 R2.  I would do what Dan said, and just setup delegation on the OU's for each IT department, so they manage only their own OU branch.  One consideration is the root level, as any GPO's applied at root will be applied to child OU's unless you block inheritance.  Also the question comes up as who controls the domain and not just a child OU.
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
After reading thru the additional comments, I would go in the direct of the first scenario, OU and GPO migration in a Single Forest, Single Domain.

Unless there is some extreme need for each IT team to have ultimate control over their respective domain, the 2 company entities can be reorganized by redesigning your OU structure.  This allows you to keep the existing domain infrastructure, keeps costs to a minimum and can be done in place while operations go on.  After the new OU structure is setup and functioning in place, you can deploy your GPOs and test them (with dummy accounts).

Once everything is satisfactorily completed, I would move a small number of users from each entities over and work out any additional kinks.  Once the live test phase is ID'ed as complete, then the wholesale migration begins.

One other thing, politics!  I would have a sit down with both IT teams and whatever management people are necessary and have a pow-wow over the top level AD domain.  My suggestion is to designate a tightly controlled change process for any top level (outside your operations OU) modifications.  Also, to designate 1 senior/lead admin, from each team, to have the responsibility and permissions to make the changes.  I would also stress the fact that uncoordinated change can and most likely will, have a potentially negative affect on the other entity's OU if the change and its effects are not discussed and made in a proper manner.

All of the experts that commented here have covered additional details that I may have overlooked.

Dan
0
 
LVL 1

Author Closing Comment

by:coptechs
Comment Utility
Thank you both for all the info. I am currently reviewing the ADMT guide.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now