Member_2_6445837
asked on
Active Directory Domain virtualization and consolidation
Greetings.
We are currently carrying out server virtualization and consolidation project of our domain controllers. We have;
[list=2][/list]aci2.local( 2 DCs, Forest function = 2003, Domain function = 2003)
[list=3][/list]aci3.local( 2 DCs, Forest function = 2003, Domain function = 2012R2)
[list=4][/list]aci4.local( 1 DC, Forest function = 2003, Domain function = 2012R2)
For the Engineering department
There are no DHCP servers in any of the domains, but all domain controllers have DNS service.
Our requirement is to migrate and consolidate the above design using the newly set up VMWare datacenter and highlighting on security and segregation of the 2 departments, so please advice on how we should approach this. We thought about setting up a new Root domain with 2 domain controllers and creating 2 child domains for both departments and creating an active directory design that consolidates engineering domains into OUs and using the Active Directory Migration Tool to do an inter\cross forest migration of computer and user accounts.
We are currently carrying out server virtualization and consolidation project of our domain controllers. We have;
[list=2][/list]aci2.local(
[list=3][/list]aci3.local(
[list=4][/list]aci4.local(
For the Engineering department
There are no DHCP servers in any of the domains, but all domain controllers have DNS service.
Our requirement is to migrate and consolidate the above design using the newly set up VMWare datacenter and highlighting on security and segregation of the 2 departments, so please advice on how we should approach this. We thought about setting up a new Root domain with 2 domain controllers and creating 2 child domains for both departments and creating an active directory design that consolidates engineering domains into OUs and using the Active Directory Migration Tool to do an inter\cross forest migration of computer and user accounts.
I would strongly reconsider the idea of child domains. A malicious admin in a child domain can gain control of the forest. Standard good practice is to have a single domain in a single forest. Child domains just lead to an increased number of DCs and complexity, and fragility.
OUs should be used for organizing departments and delegating control.
OUs should be used for organizing departments and delegating control.
Separate domains in the same forest have a transitive trust between them, and have access to all resources in the forest by default. You can limit the scope of that by implementing selective authentication, which requires you to specify which resources can be accessed outside of the domain by setting specific permissions before access is granted. So that would be how you'd want to design your new forest, if migration is your goal. That said, forest migrations are a monstrous pain to perform and often result in headaches that you wouldn't believe. If you can meet your re-organizational goals by removing domains from the existing forest and just cleaning up your current forest, I highly recommend going down that road instead.
ASKER
Thank you all for the very helpful suggestions, so the final design will have one forest and one domain with 2 domain controllers and segregation will be at an OU level using group policies, but how do I guarantee the client that security employees will not be able to see or manage the engineering computers\servers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot, Adam for the very helpful suggestions.
Is there a 3rd group managing the overall forest and domain?
Just don't delegate security employees any access to engineering. A domain user wouldn't have any special privs on engineering computers. Engineering may want to remove domain users from having access, if that is their security posture.
Just don't delegate security employees any access to engineering. A domain user wouldn't have any special privs on engineering computers. Engineering may want to remove domain users from having access, if that is their security posture.
if all you want is to consolidate all above domains into one, then create one root domain and migrate all other domain users and computers to that root domain and control access on OU level, put users and computers for each engineering domain in respective OUs
U can go with child domain route as well if wanted to with empty forest root, but I prefer single domain single forest design to avoid AD infra complexities