Hi all,
I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-way forest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.)
- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.
- ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back
to Company B, so they're healthy. Though they're at Company A, they are firewalled from A until D-day.
All forest B pocket network DCs can talk to each other as well as back home.
D-Day:
- Transfer PDC and RID FSMOs to one of company B's pocket network DCs. (see next step for why.)
- Firewall off communication to company B's network, and open up comm to company A's network.
This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly,
it'll make the PDC available on the company A network for the forest trust setup and the RID master also available
to hand out more RIDs during the migration.
There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs).
- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.
- Establish the forest trust from A to B.
Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's
resources from A's users, isn't it?
- Do the migration.
- Remove the trust
- Flip the pocket network firewalls back to block network A and allow network B.
- Let replication settle down, then transfer FSMOs back to their original locations.
- misc cleanup, like removing conditional forwarding
Appreciate any fine-tuning of this scenario, thanks!
