Re: Domain Split After Company Sale
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 30 Jan 2007 13:35:22 -0600
"Gary Hindson" <garyhindson@xxxxxxxxxxx> wrote in message
news:OW7o0DGRHHA.3812@xxxxxxxxxxxxxxxxxxxxxxx
Hi All
It has been announced that our company is to be sold so I am researching
the options available regarding our Domain. We currently share one domain
Windows 2003 domain in Mixed mode with our US parent company and we each
have a number of sites and servers either side of the pond linked via a
Wan link.
After the sale I anticipate the wan link to be left up for a period of
time to enable access to a couple of non domain related resources
(websites, Oracle databases and Linux Servers).
Usually the "big" side gets the forest, but you might have this in the
contracts
or by flipping a coin.
My initial thoughts are that we could shut down the wan link temporarily
and then carry out the following:-
1. Both sides seize the domain roles on one domain controller.
Ensure DNS, GCs, and maybe WINS are available.
2. Remove the site links either side of the pond.
And sites, and subnets, etc. that are no longer needed.
3. Remove all the resources from the opposite side of the pond in both AD
and DNS
And users who don't belong to you.
4. Clean up the Meta data on both sides.
NTDSUtil "metadata cleanup".
5. Rename the domain in the UK to ABC.com
Must first advance domain and forest to Win2003 Server Native Mode and
Win2003 Forest Functional Level.
NetBIOS and DNS names. Fix up DNS, and WINS if you run it.
6. Re-enable the link.
I have serious concerns that you will never be able to "trust" the other
domain
(you are re-enabling the link for some purpose) since the domain SIDs will
be the same in both places but that doesn't really sound like it might be a
show stopper.
After the initial split we could then carry out a staged migration to a
new domain to minimise the disruption.
If you do all this and it works you can probably hang with what you have.
Why migrate if it works?
So my questions are as follows:-
1. Would the above be possible or is it impossible to split the domain as
above? I don't foresee any need to share domain resources once the
domains are split.
Then the SID issue probably won't matter. It might work -- and if it
doesn't you should still be able to do the migration. (Keep a backup
just in case.)
2. Has anyone had any experience doing the above and have any
pointers/pitfalls?
Not me. I have worked through the ideas and think with the comments
added above you should be close.
3. Would we be better biting the bullet and creating the new domain from
day one?
If you are going to migrate then I would just do that to start, but this
might
eliminate the migration.
One thing I would like to check is: Would a users credentials STILL work
in the "Wrong" domain if they could connect? I doubt it but maybe they
would.
(You can test all this by promoting and pealing off one Lab DC and know the
answer in about 2-3 hours.)
4. What affects would the above have on Exchange 2003?
Gosh. Better ask the Exchange folks. That is another whole can (case)
of worms.
Add another couple of hours for testing Exchange.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- References:
- Domain Split After Company Sale
- From: Gary Hindson
- Domain Split After Company Sale
- Prev by Date: Re: Extending Active Directory Users and Computers
- Next by Date: Re: LDAP attribute masking
- Previous by thread: Re: Domain Split After Company Sale
- Next by thread: Domain join permissions
- Index(es):
Relevant Pages
|
