Our company is divesting part of the organization into a separate company. That means we need to split our AD forest into two separate forest. We have an sense of how we are going to do it but one question I have is the sequence.
We are going to build the new forest (both forests are empty root, single domain) and set up an external trust between the two main domains. One plan has us migrating resources such as workstations, servers, etc to the new forest maintaining ACLs, etc to the resources and then migrate accounts towards the end. The second plan has us migrating the accounts first and using SID history to maintain access to legacy resources until they are migrated to the new domain. Both plans seem to work technically but we are not sure of "best practices" as far as the migration. A recent talk at MEC suggested the later as opposed to the former. Since we have not gone through this before in our organization, I was hoping that folks that have gone through this might shed some light... Diane
<<attachment: winmail.dat>>
