Avatar of J.D. Payne
J.D. Payne
Flag for United States of America asked on

Decoupling an Active Directory Environment

Hello Experts,

We are building a new Active Directory domain based off of an existing environment and are seeking best practices and design recommendations.

My client was acquired by a larger firm and their AD was 'merged' with this parent firm's existing AD.

The current design looks like this:
Original AD (2008 R2) > 2 way trust with parent AD (2016).

All of the original AD's machines and users were recreated in the parent AD and then disabled in the original AD. Only a few service accounts and legacy resources were kept active in the older domain.
Policies and permissions were 'merged' with the parents existing GPs.

Now the client wants to decouple from the parent AD, retaining permissions and some policies, and implement a hybrid Azure AD (on-prem and in cloud solution), plus reuse the old domain name (this was kept active for legacy purposes).

The parent firm does not allow us much access into their AD environment, so we will not be able to replicate or migrate users and machines out of their domain.
The client would like us to setup new 2016 domain controllers and recreate the original domain structure. Since we have the original domain intact, we can do with it as we see fit.
The client firm and parent firm networks would become segregated once the decoupling is completed.

One idea has been to upgrade the two original 2008 R2 DCs first to 2012, then to 2016 (MS doesnt allow in place upgrade from 2008 R2 directly to 2016). Then we could recreate the current users and machines from the parent AD into the original AD, and clean up the older environment (there are over 4000 disabled accounts present in the original AD). Looks like we will have to recreate Group Policies and permissions from scratch since we can't migrate anything from the parent AD.
We would then spin up the two new 2016 servers, promote them to DCs and start replicating with the two original DCs. Once we have a full replication completed, we could then decommission the two original DCs, and then connect with Azure AD.
We do realize we will need to rejoin all of the machines into the 'new' original domain.
The goal is to keep all of the permissions and most policies intact from the parent AD, and also to not carry over any old legacy orphaned objects from the original AD, especially into Azure AD.

Does anyone have any suggestions on better ways to accomplish this? Any insight would be greatly appreciated!

Thank you!!
Active DirectoryAzure

Avatar of undefined
Last Comment
J.D. Payne

8/22/2022 - Mon
Peter Hutchison

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
J.D. Payne

Thank you very much, Peter! This is great information!!
J.D. Payne

Thank you for the insight!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy