Move from flat domain to multi-domain (Win2003)

[System Admin]

All -

I have taken over a network with physical sites in the US, Europe, Japan and
China. The previous admin set it up as all one flat AD and DNS domain -
I'll call it the "mycompany.lan" domain. This is kind of a nightmare, and
delegation is problematic. Security sucks, because a domain admin in China
can manage servers in the US and vice versa. There is no Exchange
installed, they use a different messaging infrastucture.

I want to change it so that each physical location has its own domain:

mycompany.lan - top domain, no resources except two DC's running DNS and
(probably) WINS
us.mycompany.lan - US users, computers, and two DCs running DNS, (probably)
one running WINS
eu.mycompany.lan - European users, computers, and two DCs running DNS,
(probably) one running WINS
jp.mycompany.lan - Japanese users, computers, and two DCs running DNS,
(probably) one running WINS
cn.mycompany.lan - Chinese users, computers, and two DCs running DNS,
(probably) one running WINS

Each site currently has one DC. What I am thinking of doing is:

1) Running dcpromo to demote each server to a member server
2) Setting up the DNS zone on each server for its new domain
3) Running dcpromo to make the server a new server for the new domain
4) Moving users and workstations out of the top domain to the new domain

Is there a better way? If I move the computers and users using the Active
Director Users and Computers tool, will I have to do anything to each
physical computer (we can't send technicians to some of these sites), or
will it just work? Are there any gotchas I need to worry about?

Thanks!
SA

 

[Guest]

This may not be the answer you were looking for, but if it is only security
that you're concerned about, why not create OU's for each geographical
location, then delegate control of those OU's to the appropriate people in
each location, use Restricted Groups to get those same people into the
Administrators group on all member computers, and eventually change the
passwords for all accounts that are in the Administrators and Domain Admins
groups?

The one big thing that you can't do easily is move users and computers to
the new domains. You can't just move them around in AD Users and Computers
like you can within a domain. You'll need to use migration tools such as
ADMT, etc.

There are DNS issues as well. You'll need to create the child domains on a
current AD DNS server, delegate control to the child domain DNS servers, and
have the child DNS servers forward to the parent DNS servers. If the WAN
link is slow (which may be one of the reasons you're forced to do this), you
may want to have parent domain DNS servers or even DC/DNS servers at each
remote location.

 

[Guest]

I agree with Charlie. You should remove everyone (except yourself) from the
Domain Admins group. Create OUs for each location. Move all users, groups,
and workstations into their respective OU. Create location based admin
groups (Japan Admins, China Admins, etc..). Delegate full control of
location OU to location admins. Create a group policy for each OU that uses
restricted groups to add the OU admins group to the local administrators
group of the workstations in the OU. The admins now have full control over
their users and workstations, and cannot manage anything outside of their OU.
There are a few good reasons for creating multiple domains in a forest, but
security and delegation of rights are not in that list.