We help IT Professionals succeed at work.
Get Started

Decoupling an Active Directory Environment

Jerry D.
Jerry D. asked
Last Modified: 2020-02-06
Hello Experts,

We are building a new Active Directory domain based off of an existing environment and are seeking best practices and design recommendations.

My client was acquired by a larger firm and their AD was 'merged' with this parent firm's existing AD.

The current design looks like this:
Original AD (2008 R2) > 2 way trust with parent AD (2016).

All of the original AD's machines and users were recreated in the parent AD and then disabled in the original AD. Only a few service accounts and legacy resources were kept active in the older domain.
Policies and permissions were 'merged' with the parents existing GPs.

Now the client wants to decouple from the parent AD, retaining permissions and some policies, and implement a hybrid Azure AD (on-prem and in cloud solution), plus reuse the old domain name (this was kept active for legacy purposes).

The parent firm does not allow us much access into their AD environment, so we will not be able to replicate or migrate users and machines out of their domain.
The client would like us to setup new 2016 domain controllers and recreate the original domain structure. Since we have the original domain intact, we can do with it as we see fit.
The client firm and parent firm networks would become segregated once the decoupling is completed.

One idea has been to upgrade the two original 2008 R2 DCs first to 2012, then to 2016 (MS doesnt allow in place upgrade from 2008 R2 directly to 2016). Then we could recreate the current users and machines from the parent AD into the original AD, and clean up the older environment (there are over 4000 disabled accounts present in the original AD). Looks like we will have to recreate Group Policies and permissions from scratch since we can't migrate anything from the parent AD.
We would then spin up the two new 2016 servers, promote them to DCs and start replicating with the two original DCs. Once we have a full replication completed, we could then decommission the two original DCs, and then connect with Azure AD.
We do realize we will need to rejoin all of the machines into the 'new' original domain.
The goal is to keep all of the permissions and most policies intact from the parent AD, and also to not carry over any old legacy orphaned objects from the original AD, especially into Azure AD.

Does anyone have any suggestions on better ways to accomplish this? Any insight would be greatly appreciated!

Thank you!!
Watch Question
Senior Network Systems Specialist
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE