Announcement

Collapse
No announcement yet.

HELP: Orphan domain into new forest?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • HELP: Orphan domain into new forest?

    Ok, I'll try this again since I didn't get any responses.

    I have a Windows 2000 domain (abc.net) which was migrated from NT and joined a Windows 2000 enterprise (xyz.com). "abc.net" is widely recognized by the public but is no longer associated with xyz.com (although there will be trusts between them).

    I need to move abc.net into its own forest, keeping the abc.net name and severing the ties to xyz.com.

    Is this possible? Practical? Can I do it with some combination of migrations and domain renames.

    Any help, references, pointers, etc., would be appreciated.

  • #2
    Re: HELP: Orphan domain into new forest?

    All that I say below will apply if abc.net was a child domain of forest xyz.net. (i.e. abc.xyz.net). If it was not, then none of the below applies and there is no reason that the dissociation should not take place.

    You will need to destroy the domain and start again with a new "abc.net" as far as I can tell. I believe that "Swing Migration" will assist in moving user accounts etc from the old domain into the new one - but with the domain name being the same I'm not sure whether there will be any additional implications to consider.

    To achieve this you will first have to build a domain controller for the new abc.net which is ISOLATED (network wise) from the old abc.net.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: HELP: Orphan domain into new forest?

      Well, the NT 4.0 domain abc.net existed on its own for awhile. Then the parent "organization" created an "Enterprise" xyz.com and "forced" the abc.net domain to join. Then, the whole lot was migrated in to AD 2000 with a common global address list and with the Enterprise security SID residing in the xyz.com "forest" but abc.net controlling its own users, etc. There are also public folders shared between the two (which will be re-established, as necessary, with trusts). In terms of IP domains, abc.net was never a child of xyz.com.

      What happened to change the entire setup is that Microsoft was not particularly forthcoming in early publications of the AD 2003 security best practices and didn't bother to correct the impression that domains would continue to be security boundaries in AD 2003. In fact, this responsibility has shifted to forests.

      abc.net can be thought of as a separate business organization with a common board of directors but legally distinct. The need to separate it completely is driven by the need to protect patient information since the "parent" (xyz.com) is a conglomerate and not in that business, per se.

      What I need to ensure is that SIDs from the old enterprise are not replicated to the new domain since this would create security problems.

      Thanks for your help!

      Comment


      • #4
        Re: HELP: Orphan domain into new forest?

        With your SID history requirements I would create the new domain. Anything else would not achieve this very basic requirement. Also, I'm not sure if Swing Migration carries the original SIDs over, or simply copies the user information into the new domain. If the migration carries the SID, you will have to re-create all the user accounts too.

        Don't forget that with your requirement for new SIDs, you will have to manually set up permissions to resources for the new user accounts.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: HELP: Orphan domain into new forest?

          Thanks. This looks like the way to go.

          The only SIDs I don't want to migrate are those with Forest/Enterprise permissions however, to be on the safe side, perhaps it would be better to recreate everything since there are health privacy issues driving this.

          Comment

          Working...
          X