Re: AD Forest Split Procedure

Tage S. Rasmussen wrote:
Hi kj

Practically anything of importance :).

First, my 'projects' with each now separate business included the
expectation and understanding that they would, at some point, complete a
full Interforest migration to new AD forest and achieve a supported
configuration. ( One of the companies eventually had me complete that, and
the other I suspect has not nor ever will. But it was well documented and
disclaimed)


Did you encounter any issues that caused problems afterwards ?

There were many, many 'cleanup' things to resolve, some AD split related and
many not. Probably the only 'issue' we had was public folder replication
afterwards. But there were already known issues and no expectation that the
public folders would be kept anyway. Exchange data was exported, Exchange
rebuilt, and data imported so Exchange ended up as a clean org.


What was your scenario and how did you do the split in practice ?

Two business originally one owner, one domain, one forest. Sold the other
biz. Disconnected, made and tested backups, 'amputated' the disconnected
DCs, and exchange servers. etc, etc. Lots of very careful adsiedit work.


How long time did you overall spend on the procedure ?
(Planning, testing, split, follow-up)

Probably not much to compare here, being a simple single domain. Planning
and testing (VM) a couple of days for each biz, split; about a day each,
cleanup; about a two or three days each. Cleanup involved not only cleanup
of prior bad practices, new operations policies (GPOs) and security, as well
as post split stuff.

In retrospect, two co-operating entities should just independently go the
ADMT migration route from the get go. When one is being 'uncooperative the
other is left little short term choice.


/Tage
"kj [SBS MVP]" wrote:

Tage S. Rasmussen wrote:
I am currently investigating a procedure to quickly split an
existing multi tree 2003 AD forest with Exchange 2003 into 2
separate AD forests.

This needs to be done due to organizational changes where the
company will be spilt into 2 separate entities (Org A and Org B).It
is a fairly large organization (10000+ users).

Due to political issues and time contraints it is currently not an
option to pursue the recommended approach which is to create a new
AD Forest and migrate ressources and data to this using interforest
migration tools.

The 2 organizations will not have a need to access ressources in the
other organizations forest after the split and domain renaming is
not neccesary.

Furthermore, the 2 organizations are located in separate countries
communication via FW secured WAN links, so it is failrly easy to
filter traffic and isolate DC's.

Also the resources for the 2 organizations are very well segmented
and therefore relatively easy to split. However there are some
shared services including Exchange 2003 that need special attention.

Therefore we consider to split the existing AD environment by
isolating DC's from each other so each organiation will have one DC
from the root domain, one DC from the other tree and of course DC's
from their own tree.

When the DC's have been isolated we can perform a FSMO seizure,
Metadata cleanup in both forests and DNS zone cleanup among others,
just as you would do to create a test/dev environment based on an
existing forest. By having a DC from the other orgs tree, it will be
easier to perform the metadata cleanup.

The current AD environment consists of 3 trees with a single domain
each. Every domain has multiple DC's.

Empty root domain (X.LocalRoot)
Tree for Org. A (A.LocalA)
Tree for Org. B (B.LocalB)


After the procedure We will end up with 2 disconnected AD forests
with Exchange 2003 cloned from the initial forest with a empty root
domain and a single tree each

After Split procedure :

Organization A:
Empty Root domain (X.LocalRoot)
1 tree with a single domain (A.LocalA)

Organization B :
Empty Root domain (X.LocalRoot)
1 tree with a single domain (B.LocalB)


I am aware that this procedure is not recommended nor supported by
MS, and also that there are security issues to be addressed among
others.

However due to non technical circumstances we have find a quick
temporary solution to split the AD environment without too much
service interruption and resource consumption. Lateron a real
migration will probably take place in at least
one organization solving the interim issues due to the split
procedure.

Has anyone tried to do this kind of forest split procedure in a
production environment with Exchange 2003 ?

Yes I have, and you seem to have a grasp on the major issues.

What additional information do you seek?

--
/kj

--
/kj


.

Relevant Pages

  • AD Forest Split Procedure
    ... tree 2003 AD forest with Exchange 2003 into 2 separate AD forests. ... Empty root domain ...
    (microsoft.public.windows.server.migration)
  • Re: AD Forest Split Procedure
    ... multi tree 2003 AD forest with Exchange 2003 into 2 separate AD ... Forest and migrate ressources and data to this using interforest ... one DC from the other tree and of course DC's ... Exchange 2003 cloned from the initial forest with a empty root domain ...
    (microsoft.public.windows.server.migration)
  • Re: Installing Exchange 2003 in forest with 2000
    ... Schema is common to all trees within a forest... ... if you need different schemas, then you need different forests, that also means different Exchange organizations. ... I am a tree within a forest. ...
    (microsoft.public.exchange.setup)
  • Re: Newbie questions about pruning privet hedge
    ... I make decisions based on tree biology when possible regarding forest health ... I understand that you have a background in wood products, ...
    (rec.gardens)
  • logging comment
    ... environmental disgrace; it had a huge, huge economic impact,". ... Beware of so-called forest experts who do not understand of tree ... biology. ...
    (rec.gardens)
Loading