I didn’t read Harvey’s comment “ForestB DCs are physically landed at various Company A locations in
pocket networks that can talk back” as something that already
exists today. I would have thought is part of his plan and that today there
are no DCs from Company B in any of Company A locations. So we’re using different assumptions in our discussion – Harvey,
can you clarify? Also note Jorge’s very valid comment on responsibility: the interims
forest C has a clear hand-over of responsibility of the BU being divested. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick Agreed that the risk is there. Good idea to spell it
out, but I got the sense that much gnashing of teeth was already had over the
decision to create a one-way trust or not. And because the dc's already share a network (even though
firewalled from time to time) I'm not seeing how the forest C topology helps to
mitigate the risk you describe? They'll still have possession of a DC from a
previously trusted (and therefore suspect) forest. No difference there. Unless
Forest A keeps control of the "demilitarized" forest C. But then how
does Forest B learn to trust them? :) In any event, I see a double migration without much
mitigation of risk nor benefit. I'm guessing I'm missing something in the
description of the problem else not asking the right question(s). I'm curious if that's the case? If so, is there more information to be aware of in this
scenario that can be shared?
On 10/10/06, Grillenmeier, Guido
<[EMAIL PROTECTED]>
wrote: Al, what risk has been
assumed? You're assuming everyone understands all the potential risks of
binding two AD infrastructures together as suggested, and that we're all
playing nice to another? I'm not assuming that. I'm always assuming that there
is potential for the bad guys to be around. And if they are, the original plan
allows the wrong people (read: Admins of Domain A) to have access to DCs of
Domain B. And potentially also the other way around. Not good. Unless merger
and we're talking the same company – but that's not the case here – these are
two different companies. A firewall doesn't protect from
a compromised DC, especially if you bring that DC back into your production
forest… /Guido From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Al Mulnick curious. I'm not seeing the same things as Guido here. PDC/RID will remain on the forest, but it will be blocked for the duration
of the migration while A forest and B forest are not firewalled in that one
site. (as I read it). But what makes me curious is this: The risk has already been assumed. What is the advantage here of
adding forest C? I see that it's extra steps, but I don't see the connection to
the drawn out go-at-your-own-pace migration. I'm interested in having it spelled out for me though. Please. :) On 10/10/06, Harvey Kamangwitz <[EMAIL PROTECTED]>
wrote: I certainly wouldn't allow it if I were security either, but they said it
was okay. Probably has something to do with the fact the acquisition will
almost double the size of the company :). The interim forest is a great idea. I had intended to bring up a test forest
to dry-run the migration in company A environment, but I didn't follow the
train of thought through to suggest that the actual migration be done to that
forest, and moved to the target company. On 10/10/06, Grillenmeier, Guido <[EMAIL PROTECTED]
> wrote: If I were the security officer
for Company B, I would have real issues with this plan. Most companies with sufficient
understanding of AD Security would not want any of their DCs placed in any
location where the other company's network is still active (i.e. DCs from
company A and company B on same network). That's different in a merger, where
the full IT infrastructure will be merged anyways. But you're talking about a
divestiture of a PART of a company. The plan you're describing
doesn't really scale well over time – not sure if you're considering issues
you're experiencing during the migration – how long are you willing to run
forest B without PDC/RID etc? What I've done in similar
situations is to implement an interims forest. Step 1: implement Interims Forest C in Company
A's network & migrate objects and resources from divested BU over from
Forest A to C. Test that the divested BU works in Forest C and that other
Company A Bus continue to work fine as well. Potentially change naming
convention of objects to that of Company B during the migration to Forest C.
Troubleshoot as necessary. Step2: when ready separate network of Forest
C from Company A and integrated it with network from Company B Step3: with sufficient time for planning the
integration, migrate objects and resources from Forest C to B. If not done
previously, adjust naming of objects convention during this migration. This sounds like a whole lot of
extra work, but usually it pays off: it is the most secure way to separate the
divested part of the company and doesn't put either company at (unwanted)
risks. It also gives you more flexibility on when to do which step and
won't cause any issues with either of the operational forests. /Guido From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Harvey Kamangwitz Hi all, I'm consulting on a divestiture, and naturally the companies want their
respective AD forests to have the minimum amount of contact necessary to
migrate the security principals in the divestiture from company A to company B.
I wanted to sanity check with this brain trust that we can do a
one-way forest trust in this firewalled situation. (They're going to use
Quest Migration Manager for AD, and though technically it doesn't REQUIRE a
one-way trust, the Quest SE says it's an order of magnitude easier. A one-way
outgoing trust has been approved by the various security players so it can be
done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning,
no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket
networks that can talk back to Company B, so they're healthy. Though they're at Company A,
they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as
back home. D-Day: - Transfer PDC and RID FSMOs to one of company B's pocket network
DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to
company A's network. This will make for a temporarily unhappy company B forest, but it
will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest
trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's
network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket
network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA?
They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of
A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow
network B. - Let replication settle down, then transfer FSMOs back to their original
locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks! |
- Re: [ActiveDir] Forest trust & divestitures Al Mulnick
- Re: [ActiveDir] Forest trust & divestitur... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust & divest... Al Mulnick
- Re: [ActiveDir] Forest trust & di... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust &... Al Mulnick
- RE: [ActiveDir] Forest trust & divestitures Grillenmeier, Guido
- Re: [ActiveDir] Forest trust & divestitur... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust & divest... Al Mulnick
- RE: [ActiveDir] Forest trust & di... Grillenmeier, Guido
- Re: [ActiveDir] Forest trust &... Al Mulnick
- RE: [ActiveDir] Forest trust... Grillenmeier, Guido
- Re: [ActiveDir] Forest t... Harvey Kamangwitz
- RE: [ActiveDir] Forest trust & divestitures Almeida Pinto, Jorge de