Thanks for your reply. I understand what you say and I accept that migrating DomainB is the only correct way forward.
After I have migrated DomainB to a new forest, I will collapse DomainB so that only DomainA is left standing and therefore leave my original forest in good shape. Thanks and Regards René > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Grillenmeier, Guido > Sent: 05 October 2006 18:14 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Single forest with two domain trees > to splut up. > > The DomainB that you want to split off still needs the root > domain (DomainA) to work. > > So you can't just say screw DomainA and cut it off. You'll > need at least 1 (2 for redundancy) DCs of DomainA to remain > in the site you wish to split off. No problems to get rid of > DomainB in the site that keeps DomainA. > > There are still multiple risks with this approach as you > don't need direct connectivity for the folks in Site2 > (DomainB) to do harm to your folks in Site1 (DomainA) - they > still have the same Enterprise Admins and local Admins SID in > the root domain and you can do a lot of things with a > notebook that travels between these sites... > > So ideally (and really the only way to do it safely from a > security standpoint) you're talking about a migration of your > DomainB objects to a new forest. > > /Guido > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer > Sent: Wednesday, October 04, 2006 11:10 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Single forest with two domain trees to splut up. > > Hello, > > This is my first post, so please forgive me if this question > has already been asked... > > I have a mixed AD forest with two domain trees. Each domain > tree is located at a different geographical site, and sites > and services is configured to reflect this. DomainA has the > namespace of 'logistics.ads' and DomainB has a namespace of > 'finance.dom' The very first domain tree (DomainA) is a > Windows 2000 domain and the second domain tree (DomainB) is a > Windows 2003 domain. > > Finance.dom has been bought by a third party and I must split > the forest in two and resolve any issues that arises from > doing this. As logistics.ads was the first domain in the > forest, it holds the Schema Master role and Domain naming master role. > > Exchange 2000 is installed at DomainA and Exchange 2003 is > installed in DomainB. Administrative groups are used to > reflect the geographical topology of my set-up. Each domain > has its own SMTP namespace and SMTP routing will not be a > problem as I can comfortably overcome this. The GAL being > split and replaced with contacts is acceptable and I have no > issues at this level. > > The WAN connection between the domains will be removed and > the only means of communication between the two organisations > will be through SMTP routing through the internet and nothing > else. No other application between the domains are in use, > besides Exchange. > > My current plan is to simply cut the link between the sites > and seize the roles that are missing from the newly split > domains - so in effect bringing up two forests. Issues with > Exchange, ghosted servers in AD, and so on will be removed > using ADSI edit and NTDSutil. > > My main question is this: is there better technique I should > follow for splitting up a forest or am I on the right track? > > Thanks in advance > René > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
