The problem with this approach is that the Kerberos information for the forest as well as account and domain SIDs remain the same. This opens the each company to being vulnerable from the other as the accounts have identical sids. The problem may never materialize but I'm not sure this is a good practice.
Regards,
--Joeri
> -----Original Message-----
> From: Joe.Baird [mailto:[EMAIL PROTECTED]]
> Sent: woensdag 4 december 2002 20:06
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Separating an Active Directory Forest
>
>
> Well I have a good one for everyone. I have a customer that
> we did the original Active Directory design and
> implementation for last year and they are being considered
> for sell next year. The problem is that they are in a forest
> structure (Single tree, with empty root and the two companies
> being child domains under the empty root) with the parent
> organization and neither of them want to absorb the expense
> of doing a migration out of the forest. As a note, both
> organizations do have two root dcs in their central sites.
> Basically the process they have come up with is to:
>
> 1.) Build a DC from the other company's domain in each of
> the two organizations data centers.
> 2.) Break the link between the two organizations
> 3.) Seize the respective FSMO roles from the root domain to
> the existing root domain DCs
> 4.) Seize the 3 domain FSMO roles to the newly created DC
> 5.) Remove all corresponding Service and DNS records
> 6.) Do a metadata cleanup on all DCs from the other domains
> 7.) Then run dcpromo on the DC from the other domain to
> remove it from the organization.
>
> Basically they both want to keep the existing root forest
> structure but remove the others domain structure. The
> biggest hurdle that I see is the inability to successfully
> demote the DC and choosing the option that ":this is the last
> DC in this domain". If anyone has tried this or has input on
> potential issues please let me know.
>
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte & Touche : http://www.deloitte.nl/disclaimer <http://www.deloitte.nl/index.asp?Pageid=010109135051734>
