Splitting off AD Infrastructure

I have an issue I'm looking into and want to bounce some ideas of fellow experts. Trying to answer a question for a company that is a division of a larger company. The current 2008R2 AD infrastructure the company uses is subdomain X.DOMAIN.COM. This is part of an obviously larger domain DOMAIN.COM with a very complex setup of dependencies between subdomain and root groups and trusts.

The future possibility is that division X might split off on it's own with no further association with the parent. So the question is what becomes of the AD infrastructure? If I was to build a new domain from scratch it would be very complicated trying to find all the dependencies, even if I was to import the accounts that I knew. If allowed, would be better to:

A) Set up our own DCs that replicate X.DOMAIN.COM and DOMAIN.COM and then sever the connection to the parent? Hopefully that would mean we don't have to rejoin all systems to the domain. At the point I'd rename the domain unless there is a reason to leave it.
B) Set up a new domain ~1000 users and untold # of groups? Then we have to rejoin all systems to the domain.
C) Correct me if I am wrong, but it isn't possible to simply split off our existing DCs and function as X.DOMAIN.COM standalone?

This is simply AD accounts, there are no Exchange server or other AD integrated services to complicate things.
LVL 27
Brian BEE Topic Advisor, Independant Technology ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is simply AD accounts, there are no Exchange server or other AD integrated services to complicate things

The approach would be the following...
- create a new Forest Root Domain (seprate)
- create a forest/domain trust with x.domain.com
- use the Active DIrectory Migration Tool (ADMT) and migrate all of the AD Objects from x.domain.com to your new Forest

At that point you can setup new policies (GPO's etc) to fit your need. Migrating objects is the best way to ensure that you have not missed any groups and it will allow users to continue to work in the new domain accessing resources from the old one (shares/files/etc).

ADMT Download - https://connect.microsoft.com/site1164/program8540

ADMT Guide - https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

Will.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian BEE Topic Advisor, Independant Technology ProfessionalAuthor Commented:
Kind of what I thought, but thanks for the information and references.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.