Solved

What's the best way to split a single domain into 2 separate domains?

Posted on 2015-01-13
10
1,110 Views
Last Modified: 2015-01-14
Our organization currently has a single domain with 4 DC's running Server 2008 R2. We have 2 distinct entities within the organization and are exploring the possibility of splitting off one of those entities onto its own domain. We also use Google Apps for mail, calendar, etc. We would still need a trust between the 2 domains as there are some resources that we share, but not many at all.

It seems a little overwhelming to me given there are so many aspects to an AD environment (GP, DNS, User structure, Groups, etc.). I'm am by no means an AD expert and am trying to get a handle on the work involved here. My initial thought is to hire a consultant to assist.

Is there any sort of documentation out there on best practices and/or a checklist to help better get an idea of what is involved?
0
Comment
Question by:coptechs
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 300 total points
ID: 40546529
You really only have 1 option here.
Build the new Forest root domain and use ADMT to migrate users/computers or any other objects they desire. ADMT also uses SID history so that all of the users in the new domain will be able to access the same files in the old domain.

Take a look at the below link which is the ADMT Guide to walk you through this process.
ADMT Guide

ADMT Download

Will.
0
 
LVL 27

Assisted Solution

by:Dan McFadden
Dan McFadden earned 200 total points
ID: 40546538
First question is:  are there 2 unique IT departments or will you still support both entities?

Based on the above answer, you can determine which design to use.  My suggestions are:

1. Reorganize your OU structure to reflect the entities in the company (Single Forest, Single Domain)
2. Keep your existing domain as the forest root (blank root), build out 2 child domains and migrate the users to the new domains based on entity membership. (Single Forest, Multiple Child Domains)

#1 Is really an OU and GPO migration.  AD Sites remain the same, possible restructure to account for geographical location.  Security management remains the same as it does today.
#2 Depends on budget and time to deploy.  Depending on site structure, the number of users and inter-office connectivity... you will have to determine the number of new DCs to deploy or possibly re-use 2 of your existing domain DCs as new child domain DCs.

To better answer which is best for you, it would be useful to know the following:

1. number of users in each entity
2. number of physical locations the company has
3. how your AD site structure is organized
4. number of AD sites
5. number of datacenters
6. relative connectivity between physical sites (bandwidth & reliability)

Dan
0
 
LVL 1

Author Comment

by:coptechs
ID: 40546662
Dan - 2 unique IT departments
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40546746
@Dan McFadden i agree with you but there is another option
#3 Two forests with one domain in each, this is a complete split.

@coptechs the decision must be based on the management request, then you decide which is the best AD configuration.
Are you spliting the company into two different management and IT departments or you are splitting a division still owned by your company. After the split who sets the IT governance rules? They share the same internet domain?
0
 
LVL 1

Author Comment

by:coptechs
ID: 40547183
Walter-

We don't need a complete split. We do share the same Internet domain, but that is subject to change as well. Still going to be one company w/ 2 IT departments that operate relatively independent of each other but are still related.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 40547268
If one of the departments set the IT governance rules and retain the enterprise/domain admin privileges you can go with option #1 ( single forest, single domaIn, two OU's )

If they are independent you can go with option #2 ( Single forest, two domains )
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40547279
There is not much point to separate them unless you want to have separate Default Domain Password policies/group policies etc.

As stated this can all be achieved by ACL on specific OU's. You may be creating more work for yourself then you need to. Just also take into consideration when you have a single forest and multiple child domains you start to make the AD environment much more complex this goes with other planning in regards to Exchange, Lync System Center etc.

Take that in to consideration as well.

Will.
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547699
You can have a separate password policies if you like, as long as your functional level is 2008 R2.  I would do what Dan said, and just setup delegation on the OU's for each IT department, so they manage only their own OU branch.  One consideration is the root level, as any GPO's applied at root will be applied to child OU's unless you block inheritance.  Also the question comes up as who controls the domain and not just a child OU.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40548391
After reading thru the additional comments, I would go in the direct of the first scenario, OU and GPO migration in a Single Forest, Single Domain.

Unless there is some extreme need for each IT team to have ultimate control over their respective domain, the 2 company entities can be reorganized by redesigning your OU structure.  This allows you to keep the existing domain infrastructure, keeps costs to a minimum and can be done in place while operations go on.  After the new OU structure is setup and functioning in place, you can deploy your GPOs and test them (with dummy accounts).

Once everything is satisfactorily completed, I would move a small number of users from each entities over and work out any additional kinks.  Once the live test phase is ID'ed as complete, then the wholesale migration begins.

One other thing, politics!  I would have a sit down with both IT teams and whatever management people are necessary and have a pow-wow over the top level AD domain.  My suggestion is to designate a tightly controlled change process for any top level (outside your operations OU) modifications.  Also, to designate 1 senior/lead admin, from each team, to have the responsibility and permissions to make the changes.  I would also stress the fact that uncoordinated change can and most likely will, have a potentially negative affect on the other entity's OU if the change and its effects are not discussed and made in a proper manner.

All of the experts that commented here have covered additional details that I may have overlooked.

Dan
0
 
LVL 1

Author Closing Comment

by:coptechs
ID: 40549333
Thank you both for all the info. I am currently reviewing the ADMT guide.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Copy delete file if connection drops. 2 33
Server 2008 Not services listed 23 47
Group Policy - Setting deafult Home Page 3 21
Local admin account 3 39
An article on effective troubleshooting
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question