Announcement

Collapse
No announcement yet.

How to split a domain in 2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to split a domain in 2

    Hello all,

    I have posted the question on several forums, but I got none replies sofar. So I wanted to give it a shot over here.

    We have 1 windows 2003 domain with 2 locations. Location 1 (let's call
    this one Holland) got 2 dc's (dc1 &dc2). The second location (Germany) got
    1 dc (dc3). DC1 contains all the FSMO roles. DC3 is a GC. Between
    Germany and Holland is a dsl connection which replicates the dc's.

    dc1 = Windows 2003 SP2
    dc2 = Windows 2003 R2 SP2
    dc3 = Windows 2003 SP1

    The location Germany has been sold to another company and now we need to
    spit the domain. Since we do not have much time and the server cannot be
    down for to long I was thinking about splitting the domain into 2
    domains with the same name rather then to depromote dc3 and create a new
    domain. This would save us a lot of time reconfiguring all the clients.

    I will try to do this by letting dc3 think that dc1&dc2 do not exist
    anymore.

    So in basic my plan of approach would be this:

    1. remove the dsl connection so that Germany cannot see and contact
    Holland anymore.
    2. clean up the metadata with Ntdsutil.
    3. remove dc1&dc2 objects from the sites
    4. remove dc1&dc2 objects from the domain controllers container
    5. remove dc1&dc2 objects from the dns
    6. seize FSMO roles from dc1 to dc3.
    7. remove all the computers,users etc belonging to Holland from dc3.

    Step 1 ~ 5 and 7 will also be done in Holland to remove dc3 from the
    domain.

    Since I am a newbie at AD I would like to hear some suggestions. I have
    probably forgotten some important stuff or mixed up the way I should
    things.

    Thanks for any help!

  • #2
    Re: How to split a domain in 2

    Well I can't think of any specific reasons not to do it the way you described (maybe some of the smarter people can step in on this one?) but I have two thoughts:

    1. It seems like it could be a security risk for either company. You'll both have a copy of the other's domain. You of course will go through and delete any unnecessary objects and change passwords (don't forget service accounts) but is that sufficient? It might be.

    2. I'm almost positive that you'll never be able to establish a forest or domain trust between the two without migrating one of the domains to a new one. I know it may never happen but it's just something to consider.


    HTH
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: How to split a domain in 2

      Thanks for your response JeremyW.

      We are aware about the security risk, but it should not be a problem. We changed the passwords on all the systems, appliances and administrator accounts for a month ago before the new owner was known. After the split we will delete everything first and then changes the passwords again. The AD in both locations are not accessible from outside the lan. Just for the fun I will change all the user passwords as well.

      About setting up a trust, we are absolute certain that we will never need or do that. We are using other methods for sharing the necessary information.

      Comment


      • #4
        Re: How to split a domain in 2

        I think that's pretty ingenious. Not sure I would have thought to do it that way.

        I'm going to store that one away for a later date, just in case.
        CCA: XenApp 5.0

        Comment


        • #5
          Re: How to split a domain in 2

          One last thing I thought of... I would seize the roles BEFORE deleting the old objects and cleaning up... I've no idea why it's just a vague uneasiness that your way could be messy. Also, I'm not sure but I think that cleaning up the metadata comes AFTER deleting the old DC objects.

          So - new step sequence would be:

          1. remove the dsl connection so that Germany cannot see and contact Holland anymore.
          2. seize FSMO roles from dc1 to dc3.
          3. remove dc1&dc2 objects from the sites
          4. remove dc1&dc2 objects from the domain controllers container
          5. remove dc1&dc2 objects from the dns
          6. clean up the metadata with Ntdsutil.
          7. remove all the computers,users etc belonging to Holland from dc3.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: How to split a domain in 2

            Also, obviously, make sure that you have adequate backups of all servers and of course system state both before and after. This could prove crucial - I would keep the System State backup for the maximum (120 days?) period during which it can be used.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: How to split a domain in 2

              Tom's advice is good. Make sure you have those backups tested!!!

              I don't think it matters which you do first; the metadata cleanup, delete server objects in DC OU, or delete the server object from the site(s).

              Here's a good article on it http://www.petri.com/delete_failed_dcs_from_ad.htm
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: How to split a domain in 2

                Thanks for the link JeremyW! This should come in handy
                @ Stonelaughter , I will take a further look into the order to do things. Your way sounds more logical then mine.

                Off course I will make sure that I got good backups, without those I would not even try.

                Comment

                Working...
                X