No announcement yet.

Perform a migration or split the domain?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Perform a migration or split the domain?

    We currently have a customer with a single Windows 2000 Active Directory forest and a single domain that contains approx 2000 users spread across several geographically disburse locations worldwide. All locations have a domain controller located locally. We also have Exchange 2003 deployed. The Exchange servers all reside in one centralized location. The 2000 users are spread across a 3x2 Active/Passive cluster.

    The company has sold off a part of its business. The part of the business that was sold contains approx. 1000 users in 18 different locations throughout the world.

    I am in no means a newbie to Active Directory migrations. I have performed several migrations in the past and I understand that the best zero-impact way to separate the now two entities would be to build a new domain and migrate the sold resources to the new domain using a tool such as Quest’s Domain Migrator and Exchange Migrator solutions. But performing a migration of this size and scope would take a considerable amount of time, hardware, and money. The biggest issue is the cost of these tools. They are outrageously expensive and when I presented the cost of the migration tools to management they were not excited to say the least. Microsoft’s free ADMT tool doesn’t offer much help here since it doesn’t offer any assistance with migrating Exchange 2003.

    I hate to even ask this question but in the name of due diligence I must.

    One option that was considered during the initial pre-sales discussions was that we could simply move the users being sold to a separate Exchange 2003 server, sever the network connections between the entities, seize the FSMO roles on the domain controllers at the newly created entity, do a quite a bit of metadata clean up and we would end up with two different fully functional domains that no longer have a dependency on each other.

    The thought of this makes me extremely nervous but when I look at the time, cost of performing a migration, and the scope of the migration due to the 18 different locations it definitely seems like an option that should be investigated.

    My other thought was to try and locate migration tools from another vendor but it appears that Quest is the only vendor that has a migration suite that will allow you to migrate a Windows 2003 and Exchange 2003 domain to another domain and keep the 2 domains and messaging systems in synch during the entire migration process. NetIQ has a limited offering but it only supports migrating from Exchange 5.5 to Exchange 2003 not Exchange 2003 to Exchange 2003.

    My questions are this:

    What are my options?

    Has anyone ever performed a domain split like this successfully? If so, what are the pros, cons, and oh no’s?

    What other migration solutions are out there?

  • #2
    Re: Perform a migration or split the domain?

    Tough one...

    The only time I did something like that was in the lab when I was playing around with the concept of a split.

    The major concern of performing a split would be security and the SID duplication as a result of the split. As long as both networks are connected, you can not fully seperate the resources from the security point of view and this could be quite an issue when dealing with two entities in a process of seperation.
    Another issue would be dealing with services deployed in the existing AD. i.e. CA could be an issue when doing a split...
    In addition, after the split you will have a hard time sharing resources (if required during the seperation process) across the split parts of AD.

    In theory, you could split and perform a domain rename, but those SIDs are there to stay...

    A compromise could be a process of splitting AND performing a staged migration using less expensive tools (or even sticking to the free tools). This would certainly require much more work and planning, but would probably be a tolerable compromise.

    In any case, I would try at any cost to end up with a new AD.

    Well, I guess I'm not telling you anything new...
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Perform a migration or split the domain?


      Thanks for the response. All very good points.

      If I was to perform a split I think the issues related to Active Directory could be sorted out without too much of a hassle since they are a single domain with no dedicated forest root. Of course, ensuring that the 2 networks are completely seperate and have no possibility of ever talking to each other ever again would be crucial.

      My biggest concern if the effect on Exchange, Probably because I am not as familiar with the inner workings of Exchange as I am AD.

      I briefly talked with 2 separate MS engineers regarding this approach. One engineer mentioned that a split is a supported but not recommended approach. The other initially told me that it would not work then recanted. I have another call with them in a few days to discuss in greater detail. I will let you know what I find out.

      Do you or anyone know of any tools comparable to the Quest suite of migration tools?

      Thanks Again!