Just in case, someone needs it, here is the link, for AD replication over VPN
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx
--
Kamlesh
You said both sites have Internet connectivity, can you not configure replication through a VPN between the sites? A lot of implementations have replication across firewalls in that manner. And if not, what about dial-up between them? 700 users to what, maybe 2000 objects – that's not a lot of replication traffic to keep the DCs in the two sites in sync. I'd surely think that would be easier to work out than breaking up your domain and dealing with the aftermath…
Rich
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Saturday, September 16, 2006 8:34 PMSubject: Re: [ActiveDir] splitting a domain into two
Yeah. See the problem with that "policy" concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :)
That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well.
I think in this case, option 3 would be preferred:
3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other.
It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations.
Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, "I told ya so!" at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.)
My $0.04 (USD) anyway.
Al
On 9/16/06, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:
Well :-)
I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of short term decisions as you are.
About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along with demotion of old domain. And here it will be serialized migration one after another rather than simultaneous.
Assumption here being, once the trust with one domain is established, machines migrated, trust broken.
I suppose creating trust again with same domain name at different site should not be a issue.
--
Kamlesh
On 9/16/06, joe <[EMAIL PROTECTED]> wrote:
First impression: Yuck.
The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Friday, September 15, 2006 4:57 PM
To: [email protected]
Subject: [ActiveDir] splitting a domain into two
Dear All,
Scenario :
Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.
AD Integrated DNS
site1: 300 users
site2: 400 users
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course.
Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link.
Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.
Solution we are looking at is
1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain.
2) Just break the network link as requested and here comes the crummy part :)
instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain.
Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data & DNS cleanup of other DC
net result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever.
Now, Any foreseeable issues with 2nd approach.
Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
