Link to home
Start Free TrialLog in
Avatar of J.D. Payne
J.D. PayneFlag for United States of America

asked on

Decoupling an Active Directory Environment

Hello Experts,

We are building a new Active Directory domain based off of an existing environment and are seeking best practices and design recommendations.

My client was acquired by a larger firm and their AD was 'merged' with this parent firm's existing AD.

The current design looks like this:
Original AD (2008 R2) > 2 way trust with parent AD (2016).

All of the original AD's machines and users were recreated in the parent AD and then disabled in the original AD. Only a few service accounts and legacy resources were kept active in the older domain.
Policies and permissions were 'merged' with the parents existing GPs.

Now the client wants to decouple from the parent AD, retaining permissions and some policies, and implement a hybrid Azure AD (on-prem and in cloud solution), plus reuse the old domain name (this was kept active for legacy purposes).

The parent firm does not allow us much access into their AD environment, so we will not be able to replicate or migrate users and machines out of their domain.
The client would like us to setup new 2016 domain controllers and recreate the original domain structure. Since we have the original domain intact, we can do with it as we see fit.
The client firm and parent firm networks would become segregated once the decoupling is completed.

One idea has been to upgrade the two original 2008 R2 DCs first to 2012, then to 2016 (MS doesnt allow in place upgrade from 2008 R2 directly to 2016). Then we could recreate the current users and machines from the parent AD into the original AD, and clean up the older environment (there are over 4000 disabled accounts present in the original AD). Looks like we will have to recreate Group Policies and permissions from scratch since we can't migrate anything from the parent AD.
We would then spin up the two new 2016 servers, promote them to DCs and start replicating with the two original DCs. Once we have a full replication completed, we could then decommission the two original DCs, and then connect with Azure AD.
We do realize we will need to rejoin all of the machines into the 'new' original domain.
The goal is to keep all of the permissions and most policies intact from the parent AD, and also to not carry over any old legacy orphaned objects from the original AD, especially into Azure AD.

Does anyone have any suggestions on better ways to accomplish this? Any insight would be greatly appreciated!

Thank you!!
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of J.D. Payne


Thank you very much, Peter! This is great information!!
Thank you for the insight!