• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

URGENT: Active Directory separation scenario's


Our company is joining another one and one part of the company will not join. Therefore they ask me to present some scenario to seperate from our forest the company that will not follow us in the join adventure.

To keep it simple i need to present  AD seperation with pro and cons.
Is there anyone that can help me with documentation ?
How to manage the seperation technically (different steps to achieve the goal ???
i believe ADMT will be involved but don't really know how to use it...... :-(
May be creaye a new forest and migrate is the best solution???
But i need to present different scenarios to the management before wednesday :-(
We have PKI, exchange hosted by MS in the cloud, Share point and SSO, GPOs

Thanks for your help...

1 Solution
How big is your environment?

How quickly does this need to be done?

I have never done this. ;-)

The best, cleanest option that I can think of is to migrate the parts of the company that is joining the other company into their existing forest. This probably involves a temporary forest trust, and then use ADMT to migrate. This leaves the new joined company with a clean forest, and then your existing forest would just need to delete everything that has been migrated and keep on operating with whatever is left.

An option I don't really like is to migrate the part of the company that will be left behind into a new forest, and then establish a forest trust between your current forest and the forest of the other company. You should still eventually migrate everything from your current forest into their infrastructure.

A final option that I can think of, which is pretty quick and dirty is to take some domain controllers and use them to partition your existing forest and domain(s) into a split-brain where you basically partition the network and disconnect the domain controllers from each other, do a meta data cleanup to remove the domain controllers that are now in the other forest. This is similar to cloning your AD environment for testing purposes. It sounds like you have some integration between your private AD environment and the public Internet, and that would require some work to get separated out.

Sounds like a good project to bring in some consultants.
Kevin, quite an analysis.

Have not gone through this either.

The combination of the multiple options outlined depending as Kevin pointed on the size of each group and your timeframe. Deals with locally managed resources/infrastructure.
Presumably the shift of those who would not be remaining needs to be shifted out first before the join into the new.

The external/cloud exchange/sharepoint, is it tied into your DCs?
The external hosted separation, domain stays with which side?

Are there any regulatory issues that need to be managed/handled in the transition?
AMATERASOUAuthor Commented:
The external/cloud exchange/sharepoint, is it tied into your DCs?

My priority is the AD seperation i need to split AD with part of our company who will not follow us in the jointure

can  the current internal domain be kept by the remaining group?
Who keeps the external domain.

Those deal with where the priority should be.
But presumably, the trust between current and the other can not be established so long as those who remain have access.

You would likely need to use the first option Kevin included while at the same time handling the 365 separation and DC tie in. To separate
The part of company which do not follow joint venture, how big it is?
How many users do you have there?

If you want to separate them, that's not very big issue
U can create brand new AD forest and use ADMT to migrate users from old domain to new domain
However what about email infra?
Which email infra you wanted to use, the previous one OR you will be leveraging new O365 domain and email address?

If you are shaming same SMTP name space but still you wanted separate directory partitions, better you could create tree root domain in same forest and then do intra forest user migration
This will allow you to use same O365 domain as previous one

ADMT can migrate intra forest \ inter forest:
Download ADMT guide from below location
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now