Company splitting -- need domain advice

[sublimnl]

Hi, just a quick question (hopefully). We currently have 6 sites
around the world and are currently running AD and Exchange2k in native
mode. One of our offices will be forming its own company failry soon
and we need to make sure that they continue to stay up and running
after we kill off the VPN links to our other offices. The office
already has its own AD controller (which is also a GC) and its own
Exchange server. Will AD and Exchange be able to continue functioning
at this site after we pull the plug? If not, what will this break?

Thanks in advance...

 

[Chriss3 [MVP]]

Hello, It will destroy the site and either exchange or ad will be
functional. You should create a new forest and migrate over there objects to
there new own forest. When the migration is finish, demote domain
controllers in the today existing site and remove it.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Jim Singh]

Iam assuming that mail for all the offices are routed with a single UPN
suffix! and there is only one single forest for all the offices?
If this is correct then you are going to have mail break down after you
completely seperate your self from the office i.e. no trust no vpn nothing
and users will not be able to authenticate to AD nor will they be able to
access any resources.
The new company will have to create a backup solution before both of you
pull the plug, meaning that they need to have their own email structure -
migrate their mail enabled/mailbox enabled users from the current forest to
their newly created exchange structure and similarly a new AD forest and
migrate all the users and resources to the new AD forest before they can get
seperated completly.

-Jim

 

[sublimnl]

Hello, It will destroy the site and either exchange or ad will be
functional. You should create a new forest and migrate over there objects to
there new own forest. When the migration is finish, demote domain
controllers in the today existing site and remove it.

Thanks for the reply. Just a couple of questions...

1. I assume your first sentence should read "It will destroy the site
and (n)either exchange or ad will be functional. Why is it then that
our remote sites are able to continue functioning during our power
outages or ISP outages? We have not had complaints from these sites
during instances where the connection back to HQ is down for whatever
reason.

2. I am concerned that they will not be able to procure equipment for
a new DC and Exchange server in time for the VPN cutoff date. Will
they still be able to use ADMT to migrate accounts from their local
DC/GC to a new domain if their VPN connection back to us has been cut
off?

Thanks again.

 

[Chriss3 [MVP]]

Answers inline

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

Hello, It will destroy the site and either exchange or ad will be
functional. You should create a new forest and migrate over there objects to
there new own forest. When the migration is finish, demote domain
controllers in the today existing site and remove it.

Thanks for the reply. Just a couple of questions...

1. I assume your first sentence should read "It will destroy the site
and (n)either exchange or ad will be functional. Why is it then that
our remote sites are able to continue functioning during our power
outages or ISP outages? We have not had complaints from these sites
during instances where the connection back to HQ is down for whatever
reason.
[Christoffer Andersson]: Becuse you have 5 Flexibel Singel Master

Operation Roles that only can be hold by one Domain Controller,
communication are requierd.

2. I am concerned that they will not be able to procure equipment for
a new DC and Exchange server in time for the VPN cutoff date. Will
they still be able to use ADMT to migrate accounts from their local
DC/GC to a new domain if their VPN connection back to us has been cut
off?

[Christoffer Andersson] Possibel not if the communication to the one or
more Domain Controllers holding the FSMO roles are cut off

 

[sublimnl]

Jim, yes there is a single forest for all offices, however we have
several different domains we accept mail for. I am aware that
delivery to the remote mailboxes will fail after we pull their VPN
access. They will be hosting their own mail on a new domain which we
will then fwd messages to for a set period of time that has yet to be
determined. Why would they lose access to local network resources is
they have a local DC which is also a GC?

Thanks.

 

[Jim Singh]

If they complitely get seperated then their mail will not work, since
exchange w2k has dependicies on AD global catalog servers. AD resources will
not be accesible and logon authentication request might be processed due to
cached credentials. And that is the reason why your users were able to
authenticate even though your HQ was down.

For the second ques. are you just cutting off vpn? and will have trust
relationship established with them? because you defenately need some
mechanism to go accoss the original forest and access resources and migrate
users. ADMT , DMA etc will not work unless you have explicit trust
relationship established between two.
so before you cut them off completely, establish trusts between the original
forest and their new forest and let them migrate their AD/ exchange related
objects.

-Jim

 

[sublimnl]

Thanks. So if they were not able to get equipment for a new AD
Controller and Exchange server in time for the VPN cutoff date then
they would need to seize the FSMO roles and remove the other sites and
DC's manually from AD, correct? I'm thinking that this would keep
their users up and running until they are able to purchase the
necessary equipment so that they can migrate their accounts to a new
domain.

 

[Paul Bergson]

We did a migration where we broke the connection and each site had an AD
image. We seized the roles in the remote site and the two will never speak
again. It went flawlessly.

Not a recommended method but it was quick, cheap and easy.

Metadata cleanup was all that was required.

If the two ever talked it could be a disaster. I would create a new domain
and use ADMT.

 

[Jim Singh]

they will loose resouce access as they get cut off prematurely. Are they
going to have their own forest ? if yes, then they need to have all the
resource objects migrate before they get seperated. Or are they going to
remain in the currernt forest ? Iam assuming that they need to get seperated
and have their own forest by a certain date. and if you just cut the
connectivity to them before letting them migrate the security objects ex;
users, comps, mx accts etc then how would they be able to access any
resources or process authentication.

-Jim

 

[sublimnl]

Paul, yes, these servers will never talk to eachother again. Thanks
for the reassurance.

You said that each site had an AD image. Just so I do not get ahead
of myself here, do you just mean that each site had its own up to date
DC and GC prior to breaking connection or is there more involved?

Thanks!

 

[Chriss3 [MVP]]

Its may more complicated when you have exchange deployed.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Paul Bergson]

Each site had a replication of the AD. We kept the exchange services on our
domain and the users needed to go back and build there own Exchange site and
internet domain site.

I don't recommend you do this. We have some extremely sharp people on
staff.