Roger, Though I missed the obvious in Joe's post (sever the connections, then seize the roles) I concur 100% with you. A clean Root and child domain and migration of Sec Principals, GPO, etc - much cleaner and less subject to the unknowns.
Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Roger Seielstad > Sent: Thursday, December 05, 2002 8:02 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Separating an Active Directory Forest > > > I looked at doing an NT4 domain split that way, and decided > against it, as there would be quite a bit of garbage > collection to go on. > > Really - the migration is going to be the cleanest split. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Joe.Baird [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, December 05, 2002 8:45 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] Separating an Active Directory Forest > > > > > > Rick, what they are trying to mimic is to other company > > completely burning > > to the ground so to speak. They are going to cut the WAN > > connection and > > then pretend that the other DCs no longer exist. Meaning > > they go into a > > disaster recovery mode by seizing all of the roles and begin > > the metadata > > cleanup. > > > > ----- Original Message ----- > > From: "Rick Kingslan" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, December 04, 2002 6:26 PM > > Subject: RE: [ActiveDir] Separating an Active Directory Forest > > > > > > > Joe, > > > > > > IMHO and experience, wish them good luck. The reason why > > there must be > > > a migration for one group or the other is because someone > > has to own the > > > original forest. You cannot just BOTH seize the Schema > and Domain > > > Naming FSMO roles to the respective 'new root', as it can > > only be held > > > by one or the other. > > > > > > With the current tools, I can't even imagine this being > successful - > > > without a migration of new Company B's computers, users, > and groups > > > (plus all of the ancillary stuff) to a new forest. > > > > > > Ack! > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > Microsoft MVP - Active Directory > > > Associate Expert > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]] On Behalf > Of Joe.Baird > > > > Sent: Wednesday, December 04, 2002 1:06 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] Separating an Active Directory Forest > > > > > > > > > > > > Well I have a good one for everyone. I have a customer that we > > > > did the original Active Directory design and implementation for > > > > last year and they are being considered for sell next > year. The > > > > problem is that they are in a forest structure (Single > tree, with > > > > empty root and the two companies being child domains under the > > > > empty root) with the parent organization and neither of > them want > > > > to absorb the expense of doing a migration out of the > forest. As a > > > > note, both organizations do have two root dcs in their central > > > > sites. Basically the process they have come up with is to: > > > > > > > > 1.) Build a DC from the other company's domain in each > of the two > > > > organizations data centers. > > > > 2.) Break the link between the two organizations > > > > 3.) Seize the respective FSMO roles from the root > domain to the > > > > existing root domain DCs > > > > 4.) Seize the 3 domain FSMO roles to the newly created DC > > > > 5.) Remove all corresponding Service and DNS records > > > > 6.) Do a metadata cleanup on all DCs from the other domains > > > > 7.) Then run dcpromo on the DC from the other domain > to remove it > > > > from the organization. > > > > > > > > Basically they both want to keep the existing root forest > > > > structure but remove the others domain structure. The biggest > > > > hurdle that I see is the inability to successfully > demote the DC > > > > and choosing the option that ":this is the last DC in this > > > > domain". If anyone has tried this or has input on potential > > > > issues please let me know. > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
