Domain Split AD SQL

Hi,

I am working on a domain split, 2 options, option 1 seperate forests I already have my answers for this.
option 2 brings me here now same forest seperate domains.

Anybody care to list the steps to migrate a AD domain with several SQL servers and one exchange server 2010 to a new domain within the same forest.

Requirements for this are.
1. Domains must not be able to access each other in anyway once the split and migration is complete.
2. We will be leaving all of the SQL stuff on the original domain and migrating our Exchange 2010 and AD 2008 functional level to a new domain. The reason we are doing this is we are locking the SQL server and web stuff up in its own domain and we intend to keep only this stuff in our current AD domain so that nothing goes wrong with this part of the business.

Thanks in advance!
LVL 9
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Hey Mark,

Couple of things here....

Domains must not be able to access each other in anyway once the split and migration is complete
Having a Single forest with multiple domains will not work for you, based on your comment above. This is because when you create a child domain under a forest root domain there is a "transitive trust" that is established. This means that the child domain trusts the forest root domain and the root domain trusts the child.

Also in a single forest you have Forest FSMO roles (schema and domain naming) and you have domain roles (PDC Em, RID Master, Infrastructure Master). The child domain will hold its own domain roles however it still referecnes the Forest for the Forest FSMO Roles.

We will be leaving all of the SQL stuff on the original domain and migrating our Exchange 2010 and AD 2008 functional level to a new domain. The reason we are doing this is we are locking the SQL server and web stuff up in its own domain and we intend to keep only this stuff in our current AD domain so that nothing goes wrong with this part of the business.

As for the second question you are still going to be required to have a DC in the Forest Root Domain to service the Forest/domain  FSMO roles along with providing authentication for any servers in the Root domain like your SQL.

However you stated that you want to do this so that you can lock down your SQL? Not quite sure what you are trying to accomplish putting them in a different domain and/or forest.

Ultimately i think you are just over complicating things here and simply lock down your environment based on NTFS permissions with using security groups. You do not need to isolate SQL to keep it secure.

The most Forest/domains you have the more complex it will get which will also affect you doing upgrades in the future as well as it will not be as easy.

Will.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Author Commented:
Ok, one reason to have the SQL and web side of our setup on a different AD domain to our workstations, exchange and file servers is encase we get hacked, we get hacked onto a different network whether it be the website sql network or the workstation network.

Thank you for pointing the things you have out here, especially in relation to the trusts and forest wide roles.
0
Will SzymkowskiSenior Solution ArchitectCommented:
It is always best to perform security from a network perspective from a network appliance like a firewall and isolating the specific IP's and or ports that are associated with a specific service i.e. (web server). You can always do this via DMZ and rules to talk to specific servers inside your network which can only commuinicate on specific ports.

DMZ would be the most practicle, method of secure perimeter devices. You could also do NAT-ing with your firewall to internal servers however the DMZ option would be my first recommendation.

Will.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Author Commented:
We do use all of this already, as an engineer I am actually against this "domain split" but what can I do.
I completely agree with everything you said here about this and thanks for your help.

I will give you a bit of an idea about the setup we are going for.

HA provided by block level san replication in site 1 and 2
VMware ESXI 6.0 w/ Vcenter server 6.0 and VM Ware SRM for failover
So whatever solution we go for 2 domains or 1 has to provide us the ability to fail over from site 1 to 2.

What I think is best to do, please let me know if you agree with this.
As a solution i think we should.
!Create a vpn between site 1 and 2.
!Have a 100% replicate of site 1 on site 2.
!Do not split the AD Domain

This then avoids the over complication.
additionally Will, this company cannot be offline for any decent period of time.

Thanks for your help again Will, you are the best !
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Author Commented:
Just saying that any solution we do implement has to be compatible with the san setup and vmware srm failover.

Another solution that is not a domain split would be great, I cannot really think of any apart from the one I listed above.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Creating multiple sites in AD is the more approriate solution. Not multiple domains. So what you have stated above would be the better approach. Always keep in mind when you are adding more domains to a forest you are making everything more complicated i.e. Exchange and or other services as well.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Author Commented:
As per usual, the best expert.
0
Will SzymkowskiSenior Solution ArchitectCommented:
<3 appreciate that!

Will.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.