troubleshooting Question

Decoupling an Active Directory Environment

Avatar of JD Payne
JD PayneFlag for United States of America asked on
Active DirectoryAzure
3 Comments1 Solution55 ViewsLast Modified:
Hello Experts,

We are building a new Active Directory domain based off of an existing environment and are seeking best practices and design recommendations.

My client was acquired by a larger firm and their AD was 'merged' with this parent firm's existing AD.

The current design looks like this:
Original AD (2008 R2) > 2 way trust with parent AD (2016).

All of the original AD's machines and users were recreated in the parent AD and then disabled in the original AD. Only a few service accounts and legacy resources were kept active in the older domain.
Policies and permissions were 'merged' with the parents existing GPs.

Now the client wants to decouple from the parent AD, retaining permissions and some policies, and implement a hybrid Azure AD (on-prem and in cloud solution), plus reuse the old domain name (this was kept active for legacy purposes).

The parent firm does not allow us much access into their AD environment, so we will not be able to replicate or migrate users and machines out of their domain.
The client would like us to setup new 2016 domain controllers and recreate the original domain structure. Since we have the original domain intact, we can do with it as we see fit.
The client firm and parent firm networks would become segregated once the decoupling is completed.

One idea has been to upgrade the two original 2008 R2 DCs first to 2012, then to 2016 (MS doesnt allow in place upgrade from 2008 R2 directly to 2016). Then we could recreate the current users and machines from the parent AD into the original AD, and clean up the older environment (there are over 4000 disabled accounts present in the original AD). Looks like we will have to recreate Group Policies and permissions from scratch since we can't migrate anything from the parent AD.
We would then spin up the two new 2016 servers, promote them to DCs and start replicating with the two original DCs. Once we have a full replication completed, we could then decommission the two original DCs, and then connect with Azure AD.
We do realize we will need to rejoin all of the machines into the 'new' original domain.
The goal is to keep all of the permissions and most policies intact from the parent AD, and also to not carry over any old legacy orphaned objects from the original AD, especially into Azure AD.

Does anyone have any suggestions on better ways to accomplish this? Any insight would be greatly appreciated!

Thank you!!
Peter Hutchison
Senior Network Systems Specialist

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros