Link to home
Start Free TrialLog in
Avatar of Member_2_6445837
Member_2_6445837

asked on

Active Directory Domain virtualization and consolidation

Greetings.
We are currently carrying out server virtualization and consolidation project of our domain controllers. We have;
    one domain we could call security.local with 3 domain controllers for the security department, Domain functional level is currently on server 2008 and Forest functional level is on server 2003.
      4 domains we could call;
             
        aci.local( 2 DCs, Forest function = 2003, Domain Function = 2012R2)
                [list=2][/list]aci2.local(2 DCs, Forest function = 2003, Domain function = 2003)
                [list=3][/list]aci3.local( 2 DCs, Forest function = 2003, Domain function = 2012R2)
                [list=4][/list]aci4.local( 1 DC, Forest function = 2003, Domain function = 2012R2)
        For the Engineering department

        There are no DHCP servers in any of the domains, but all domain controllers have DNS service.

        Our requirement is to migrate and consolidate the above design using the newly set up VMWare datacenter and highlighting on security and segregation of the 2 departments, so please advice on how we should approach this. We thought about setting up a new Root domain with 2 domain controllers and creating 2 child domains for both departments and creating an active directory design that consolidates engineering domains into OUs and using the Active Directory Migration Tool to do an inter\cross forest migration of computer and user accounts.
        Avatar of Mahesh
        Mahesh
        Flag of India image

        it depends upon what level of separation you wanted between both departments

        if all you want is to consolidate all above domains into one, then create one root domain and migrate all other domain users and computers to that root domain and control access on OU level, put users and computers for each engineering domain in respective OUs

        U can go with child domain route as well if wanted to with empty forest root, but I prefer single domain single forest design to avoid AD infra complexities
        I would strongly reconsider the idea of child domains. A malicious admin in a child domain can gain control of the forest. Standard good practice is to have a single domain in a single forest. Child domains just lead to an increased number of DCs and complexity, and fragility.

        OUs should be used for organizing departments and delegating control.
        Separate domains in the same forest have a transitive trust between them, and have access to all resources in the forest by default. You can limit the scope of that by implementing selective authentication, which requires you to specify which resources can be accessed outside of the domain by setting specific permissions before access is granted. So that would be how you'd want to design your new forest, if migration is your goal. That said, forest migrations are a monstrous pain to perform and often result in headaches that you wouldn't believe. If you can meet your re-organizational goals by removing domains from the existing forest and just cleaning up your current forest, I highly recommend going down that road instead.
        Avatar of Member_2_6445837
        Member_2_6445837

        ASKER

        Thank you all for the very helpful suggestions, so the final design will have one forest and one domain with 2 domain controllers and segregation will be at an OU level using group policies, but how do I guarantee the client that security employees will not be able to see or manage the engineering computers\servers?
        ASKER CERTIFIED SOLUTION
        Avatar of Adam Brown
        Adam Brown
        Flag of United States of America image

        Link to home
        membership
        This solution is only available to members.
        To access this solution, you must be a member of Experts Exchange.
        Start Free Trial
        Thanks a lot, Adam for the very helpful suggestions.
        Is there a 3rd group managing the overall forest and domain?

        Just don't delegate security employees any access to engineering. A domain user wouldn't have any special privs on engineering computers. Engineering may want to remove domain users from having access, if that is their security posture.