Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


URGENT: Active Directory separation scenario's

Posted on 2015-01-19
Medium Priority
Last Modified: 2015-05-11

Our company is joining another one and one part of the company will not join. Therefore they ask me to present some scenario to seperate from our forest the company that will not follow us in the join adventure.

To keep it simple i need to present  AD seperation with pro and cons.
Is there anyone that can help me with documentation ?
How to manage the seperation technically (different steps to achieve the goal ???
i believe ADMT will be involved but don't really know how to use it...... :-(
May be creaye a new forest and migrate is the best solution???
But i need to present different scenarios to the management before wednesday :-(
We have PKI, exchange hosted by MS in the cloud, Share point and SSO, GPOs

Thanks for your help...

Question by:AMATERASOU
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 42

Expert Comment

ID: 40559160
How big is your environment?

How quickly does this need to be done?

I have never done this. ;-)

The best, cleanest option that I can think of is to migrate the parts of the company that is joining the other company into their existing forest. This probably involves a temporary forest trust, and then use ADMT to migrate. This leaves the new joined company with a clean forest, and then your existing forest would just need to delete everything that has been migrated and keep on operating with whatever is left.

An option I don't really like is to migrate the part of the company that will be left behind into a new forest, and then establish a forest trust between your current forest and the forest of the other company. You should still eventually migrate everything from your current forest into their infrastructure.

A final option that I can think of, which is pretty quick and dirty is to take some domain controllers and use them to partition your existing forest and domain(s) into a split-brain where you basically partition the network and disconnect the domain controllers from each other, do a meta data cleanup to remove the domain controllers that are now in the other forest. This is similar to cloning your AD environment for testing purposes. It sounds like you have some integration between your private AD environment and the public Internet, and that would require some work to get separated out.

Sounds like a good project to bring in some consultants.
LVL 80

Expert Comment

ID: 40559303
Kevin, quite an analysis.

Have not gone through this either.

The combination of the multiple options outlined depending as Kevin pointed on the size of each group and your timeframe. Deals with locally managed resources/infrastructure.
Presumably the shift of those who would not be remaining needs to be shifted out first before the join into the new.

The external/cloud exchange/sharepoint, is it tied into your DCs?
The external hosted separation, domain stays with which side?

Are there any regulatory issues that need to be managed/handled in the transition?

Author Comment

ID: 40559389
The external/cloud exchange/sharepoint, is it tied into your DCs?

My priority is the AD seperation i need to split AD with part of our company who will not follow us in the jointure
LVL 80

Expert Comment

ID: 40559908

can  the current internal domain be kept by the remaining group?
Who keeps the external domain.

Those deal with where the priority should be.
But presumably, the trust between current and the other can not be established so long as those who remain have access.

You would likely need to use the first option Kevin included while at the same time handling the 365 separation and DC tie in. To separate
LVL 38

Accepted Solution

Mahesh earned 1500 total points
ID: 40560489
The part of company which do not follow joint venture, how big it is?
How many users do you have there?

If you want to separate them, that's not very big issue
U can create brand new AD forest and use ADMT to migrate users from old domain to new domain
However what about email infra?
Which email infra you wanted to use, the previous one OR you will be leveraging new O365 domain and email address?

If you are shaming same SMTP name space but still you wanted separate directory partitions, better you could create tree root domain in same forest and then do intra forest user migration
This will allow you to use same O365 domain as previous one

ADMT can migrate intra forest \ inter forest:
Download ADMT guide from below location

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question