We help IT Professionals succeed at work.

Decoupling an Active Directory Environment

Jerry D.
Jerry D. asked
on
Hello Experts,

We are building a new Active Directory domain based off of an existing environment and are seeking best practices and design recommendations.

My client was acquired by a larger firm and their AD was 'merged' with this parent firm's existing AD.

The current design looks like this:
Original AD (2008 R2) > 2 way trust with parent AD (2016).

All of the original AD's machines and users were recreated in the parent AD and then disabled in the original AD. Only a few service accounts and legacy resources were kept active in the older domain.
Policies and permissions were 'merged' with the parents existing GPs.

Now the client wants to decouple from the parent AD, retaining permissions and some policies, and implement a hybrid Azure AD (on-prem and in cloud solution), plus reuse the old domain name (this was kept active for legacy purposes).

The parent firm does not allow us much access into their AD environment, so we will not be able to replicate or migrate users and machines out of their domain.
The client would like us to setup new 2016 domain controllers and recreate the original domain structure. Since we have the original domain intact, we can do with it as we see fit.
The client firm and parent firm networks would become segregated once the decoupling is completed.

One idea has been to upgrade the two original 2008 R2 DCs first to 2012, then to 2016 (MS doesnt allow in place upgrade from 2008 R2 directly to 2016). Then we could recreate the current users and machines from the parent AD into the original AD, and clean up the older environment (there are over 4000 disabled accounts present in the original AD). Looks like we will have to recreate Group Policies and permissions from scratch since we can't migrate anything from the parent AD.
We would then spin up the two new 2016 servers, promote them to DCs and start replicating with the two original DCs. Once we have a full replication completed, we could then decommission the two original DCs, and then connect with Azure AD.
We do realize we will need to rejoin all of the machines into the 'new' original domain.
The goal is to keep all of the permissions and most policies intact from the parent AD, and also to not carry over any old legacy orphaned objects from the original AD, especially into Azure AD.

Does anyone have any suggestions on better ways to accomplish this? Any insight would be greatly appreciated!

Thank you!!
Comment
Watch Question

Senior Network Systems Specialist
Commented:
To keep permissions, you also need to keep SID values across the domains by using the 'Migrate SID history' in Delegate Access wizard.
See https://support.microsoft.com/en-gb/help/322970/how-to-troubleshoot-inter-forest-sidhistory-migration-with-admtv2

Policies can be migrated to a new domain, although some migration of values for new domain is required. You can do this using either ADMT (AD migration tool) or GPMC (group policy management) and the Migration Table Editor to successfully migrate policy.
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/gpmc/using-migration-tables
Jerry D.Systems/Network Engineer

Author

Commented:
Thank you very much, Peter! This is great information!!
Jerry D.Systems/Network Engineer

Author

Commented:
Thank you for the insight!