Thanks for your reply.  I understand what you say and I accept that
migrating DomainB is the only correct way forward.

After I have migrated DomainB to a new forest, I will collapse DomainB so
that only DomainA is left standing and therefore leave my original forest in
good shape.

Thanks and Regards

> -----Original Message-----
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Grillenmeier, Guido
> Sent: 05 October 2006 18:14
> To:
> Subject: RE: [ActiveDir] Single forest with two domain trees 
> to splut up.
> The DomainB that you want to split off still needs the root 
> domain (DomainA) to work.
> So you can't just say screw DomainA and cut it off. You'll 
> need at least 1 (2 for redundancy) DCs of DomainA to remain 
> in the site you wish to split off. No problems to get rid of 
> DomainB in the site that keeps DomainA.
> There are still multiple risks with this approach as you 
> don't need direct connectivity for the folks in Site2 
> (DomainB) to do harm to your folks in Site1 (DomainA) - they 
> still have the same Enterprise Admins and local Admins SID in 
> the root domain and you can do a lot of things with a 
> notebook that travels between these sites...
> So ideally (and really the only way to do it safely from a 
> security standpoint) you're talking about a migration of your 
> DomainB objects to a new forest.
> /Guido
> -----Original Message-----
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: Wednesday, October 04, 2006 11:10 PM
> To:
> Subject: [ActiveDir] Single forest with two domain trees to splut up.
> Hello,
> This is my first post, so please forgive me if this question 
> has already been asked...
> I have a mixed AD forest with two domain trees.  Each domain 
> tree is located at a different geographical site, and sites 
> and services is configured to reflect this.  DomainA has the 
> namespace of '' and DomainB has a namespace of 
> 'finance.dom' The very first domain tree (DomainA) is a 
> Windows 2000 domain and the second domain tree (DomainB) is a 
> Windows 2003 domain.
> Finance.dom has been bought by a third party and I must split 
> the forest in two and resolve any issues that arises from 
> doing this.  As was the first domain in the 
> forest, it holds the Schema Master role and Domain naming master role.
> Exchange 2000 is installed at DomainA and Exchange 2003 is 
> installed in DomainB.  Administrative groups are used to 
> reflect the geographical topology of my set-up.  Each domain 
> has its own SMTP namespace and SMTP routing will not be a 
> problem as I can comfortably overcome this.  The GAL being 
> split and replaced with contacts is acceptable and I have no 
> issues at this level.
> The WAN connection between the domains will be removed and 
> the only means of communication between the two organisations 
> will be through SMTP routing through the internet and nothing 
> else.  No other application between the domains are in use, 
> besides Exchange.
> My current plan is to simply cut the link between the sites 
> and seize the roles that are missing from the newly split 
> domains - so in effect bringing up two forests.  Issues with 
> Exchange, ghosted servers in AD, and so on will be removed 
> using ADSI edit and NTDSutil.
> My main question is this: is there better technique I should 
> follow for splitting up a forest or am I on the right track?
> Thanks in advance
> René
> List info   :
> List FAQ    :
> List archive:
> List info   :
> List FAQ    :
> List archive:

List info   :
List FAQ    :
List archive:

Reply via email to