The DomainB that you want to split off still needs the root domain (DomainA) to work.
So you can't just say screw DomainA and cut it off. You'll need at least 1 (2 for redundancy) DCs of DomainA to remain in the site you wish to split off. No problems to get rid of DomainB in the site that keeps DomainA. There are still multiple risks with this approach as you don't need direct connectivity for the folks in Site2 (DomainB) to do harm to your folks in Site1 (DomainA) - they still have the same Enterprise Admins and local Admins SID in the root domain and you can do a lot of things with a notebook that travels between these sites... So ideally (and really the only way to do it safely from a security standpoint) you're talking about a migration of your DomainB objects to a new forest. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer Sent: Wednesday, October 04, 2006 11:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Single forest with two domain trees to splut up. Hello, This is my first post, so please forgive me if this question has already been asked... I have a mixed AD forest with two domain trees. Each domain tree is located at a different geographical site, and sites and services is configured to reflect this. DomainA has the namespace of 'logistics.ads' and DomainB has a namespace of 'finance.dom' The very first domain tree (DomainA) is a Windows 2000 domain and the second domain tree (DomainB) is a Windows 2003 domain. Finance.dom has been bought by a third party and I must split the forest in two and resolve any issues that arises from doing this. As logistics.ads was the first domain in the forest, it holds the Schema Master role and Domain naming master role. Exchange 2000 is installed at DomainA and Exchange 2003 is installed in DomainB. Administrative groups are used to reflect the geographical topology of my set-up. Each domain has its own SMTP namespace and SMTP routing will not be a problem as I can comfortably overcome this. The GAL being split and replaced with contacts is acceptable and I have no issues at this level. The WAN connection between the domains will be removed and the only means of communication between the two organisations will be through SMTP routing through the internet and nothing else. No other application between the domains are in use, besides Exchange. My current plan is to simply cut the link between the sites and seize the roles that are missing from the newly split domains - so in effect bringing up two forests. Issues with Exchange, ghosted servers in AD, and so on will be removed using ADSI edit and NTDSutil. My main question is this: is there better technique I should follow for splitting up a forest or am I on the right track? Thanks in advance René List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
