URGENT: Active Directory separation scenario's

Posted on 2015-01-19
Last Modified: 2015-05-11

Our company is joining another one and one part of the company will not join. Therefore they ask me to present some scenario to seperate from our forest the company that will not follow us in the join adventure.

To keep it simple i need to present  AD seperation with pro and cons.
Is there anyone that can help me with documentation ?
How to manage the seperation technically (different steps to achieve the goal ???
i believe ADMT will be involved but don't really know how to use it...... :-(
May be creaye a new forest and migrate is the best solution???
But i need to present different scenarios to the management before wednesday :-(
We have PKI, exchange hosted by MS in the cloud, Share point and SSO, GPOs

Thanks for your help...

Question by:AMATERASOU
LVL 42

Expert Comment

ID: 40559160
How big is your environment?

How quickly does this need to be done?

I have never done this. ;-)

The best, cleanest option that I can think of is to migrate the parts of the company that is joining the other company into their existing forest. This probably involves a temporary forest trust, and then use ADMT to migrate. This leaves the new joined company with a clean forest, and then your existing forest would just need to delete everything that has been migrated and keep on operating with whatever is left.

An option I don't really like is to migrate the part of the company that will be left behind into a new forest, and then establish a forest trust between your current forest and the forest of the other company. You should still eventually migrate everything from your current forest into their infrastructure.

A final option that I can think of, which is pretty quick and dirty is to take some domain controllers and use them to partition your existing forest and domain(s) into a split-brain where you basically partition the network and disconnect the domain controllers from each other, do a meta data cleanup to remove the domain controllers that are now in the other forest. This is similar to cloning your AD environment for testing purposes. It sounds like you have some integration between your private AD environment and the public Internet, and that would require some work to get separated out.

Sounds like a good project to bring in some consultants.
LVL 77

Expert Comment

ID: 40559303
Kevin, quite an analysis.

Have not gone through this either.

The combination of the multiple options outlined depending as Kevin pointed on the size of each group and your timeframe. Deals with locally managed resources/infrastructure.
Presumably the shift of those who would not be remaining needs to be shifted out first before the join into the new.

The external/cloud exchange/sharepoint, is it tied into your DCs?
The external hosted separation, domain stays with which side?

Are there any regulatory issues that need to be managed/handled in the transition?

Author Comment

ID: 40559389
The external/cloud exchange/sharepoint, is it tied into your DCs?

My priority is the AD seperation i need to split AD with part of our company who will not follow us in the jointure
LVL 77

Expert Comment

ID: 40559908

can  the current internal domain be kept by the remaining group?
Who keeps the external domain.

Those deal with where the priority should be.
But presumably, the trust between current and the other can not be established so long as those who remain have access.

You would likely need to use the first option Kevin included while at the same time handling the 365 separation and DC tie in. To separate
LVL 36

Accepted Solution

Mahesh earned 500 total points
ID: 40560489
The part of company which do not follow joint venture, how big it is?
How many users do you have there?

If you want to separate them, that's not very big issue
U can create brand new AD forest and use ADMT to migrate users from old domain to new domain
However what about email infra?
Which email infra you wanted to use, the previous one OR you will be leveraging new O365 domain and email address?

If you are shaming same SMTP name space but still you wanted separate directory partitions, better you could create tree root domain in same forest and then do intra forest user migration
This will allow you to use same O365 domain as previous one

ADMT can migrate intra forest \ inter forest:
Download ADMT guide from below location

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question