Separating trusted domains

G

greyseal96

Hi,

I've got a question about removing a trust relationship between two
domains that I was hoping that some kind person could help me with.
We have two domains that I'm pretty sure are two different forests
that are joined together in a two-way transitive trust. One of the
domains might be a tree in the forest of the other, but I'm pretty
sure that it isn't because it's namespace is different, i.e. Domain1
is named company.com and Domain 2 is called homedomain.com. Is this
an incorrect assumption?

We would like to gracefully remove the relationship between these two
domains (company.com and homedomain.com), and I'm pretty sure that I
know how to do it, but after Googling for a few hours, I can only find
documentation on how to remove orphaned domains, or what to do if the
domains were disconnected un-gracefully. I was hoping that I could
list out the steps the basic progression that I'm going to follow and
perhaps somebody would be kind enough to tell me if I'm going to screw
things up.

I removed the trust relationship between the two domains in AD Domains
and Trusts, but when I went to AD Sites and Services to delete the
homedomain.com site and cease replication, I got a message saying that
it couldn't delete the site. I'm guessing that removing the trust
first was the wrong order, so I'm going to go back and re-establish
the trust. After doing that, here is what I think I should do:

1. Remove the site replication
2. Remove the trust relationship.
3. Remove the zones in DNS?

Is this the correct way to do it? I haven't been able to find any
documentation on utilities that will remove this relationship
gracefully. Can someone please give me some advice about the right
way to do this?

Thank you so much for any help that you can give...

Regards,
greyseal96
 
P

Paul Bergson [MVP-DS]

You could just have disjoint name space between the two domains, so you
can't make the assumption they aren't in the same forest. What you could do
is find out the FSMO role holder of the schema master. This is a forest
wide role and only resides in one domain in your forest. If both these
domains point to the same dc then you know they are two trees in one forest.

From a command prompt on a dc in each domain key in the following:

netdom query fsmo


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

greyseal96

Hi Paul,

Thanks for your help, I really appreciate it. I ran the query that
you suggested and here are the results that I got:

DC.company.com
---------------------------
Schema owner: dc.company.com
Domain role owner: dc.company.com
PDC role: dc.company.com
RID pool manager: dc.company.com
Infrasturcture owner: dc.company.com

DC.homedomain.com
-------------------------------
Schema owner: dc.company.com
Domain role owner: dc.company.com
PDC role: dc.homedomain.com
RID pool manager: dc.homedomain.com
Infrasturcture owner: dc.homedomain.com

Since the schema owner and domain role owner is dc.company.com in both
cases, does that mean that homedomain.com is a tree in the company.com
forest? Also, I don't know if this will help or not, but
dc.homedomain.com is a Win2k3 server and it shows the trust type a
little differently in AD Domains and Trusts. It shows the trust type
for each domain as Tree Root, whereas on dc.company.com (a Win2k
server), it shows the trust type as Shortcut. Is that just a
difference between Win2k and Win2k3?
From what I've read, it appears that there isn't a graceful way to
unjoin a tree domain from the forest, is there? I'm hoping that I'm
wrong.

Thanks again for your taking the time to help.

Regards,
John
 
P

Paul Bergson [MVP-DS]

Yes they are both disjoint trees in a single forest. You can't break the
trust between them. You would have to build a new forest and migrate the
objects across using something such as ADMT.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

greyseal96

Paul,

Thanks for your help. That's what I was afraid of, but at least I now
know what I have to do. Thanks again.

Regards,
John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top