RE: [ActiveDir] Forest trust & divestitures

[Grillenmeier, Guido]

I didn’t read Harvey’s comment “ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back” as something that already exists today.  I would have thought is part of his plan and that today there are no DCs from Company B in any of Company A locations.   So we’re using different assumptions in our discussion – Harvey, can you clarify?   Also note Jorge’s very valid comment on responsibility: the interims forest C has a clear hand-over of responsibility of the BU being divested.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, October 11, 2006 3:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forest trust & divestitures   Agreed that the risk is there.  Good idea to spell it out, but I got the sense that much gnashing of teeth was already had over the decision to create a one-way trust or not.   And because the dc's already share a network (even though firewalled from time to time) I'm not seeing how the forest C topology helps to mitigate the risk you describe? They'll still have possession of a DC from a previously trusted (and therefore suspect) forest. No difference there. Unless Forest A keeps control of the "demilitarized" forest C. But then how does Forest B learn to trust them? :)   In any event, I see a double migration without much mitigation of risk nor benefit. I'm guessing I'm missing something in the description of the problem else not asking the right question(s).    I'm curious if that's the case?    If so, is there more information to be aware of in this scenario that can be shared?     On 10/10/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: Al, what risk has been assumed?  You're assuming everyone understands all the potential risks of binding two AD infrastructures together as suggested, and that we're all playing nice to another?  I'm not assuming that.    I'm always assuming that there is potential for the bad guys to be around. And if they are, the original plan allows the wrong people (read: Admins of Domain A) to have access to DCs of Domain B. And potentially also the other way around. Not good. Unless merger and we're talking the same company – but that's not the case here – these are two different companies.   A firewall doesn't protect from a compromised DC, especially if you bring that DC back into your production forest…   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, October 10, 2006 11:44 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forest trust & divestitures   curious.    I'm not seeing the same things as Guido here.    PDC/RID will remain on the forest, but it will be blocked for the duration of the migration while A forest and B forest are not firewalled in that one site. (as I read it).   But what makes me curious is this: The risk has already been assumed.  What is the advantage here of adding forest C? I see that it's extra steps, but I don't see the connection to the drawn out go-at-your-own-pace migration.   I'm interested in having it spelled out for me though.  Please. :)   On 10/10/06, Harvey Kamangwitz <[EMAIL PROTECTED]> wrote: I certainly wouldn't allow it if I were security either, but they said it was okay. Probably has something to do with the fact the acquisition will almost double the size of the company :).   The interim forest is a great idea. I had intended to bring up a test forest to dry-run the migration in company A environment, but I didn't follow the train of thought through to suggest that the actual migration be done to that forest, and moved to the target company.   On 10/10/06, Grillenmeier, Guido <[EMAIL PROTECTED] > wrote: If I were the security officer for Company B, I would have real issues with this plan.   Most companies with sufficient understanding of AD Security would not want any of their DCs placed in any location where the other company's network is still active (i.e. DCs from company A and company B on same network). That's different in a merger, where the full IT infrastructure will be merged anyways. But you're talking about a divestiture of a PART of a company.   The plan you're describing doesn't really scale well over time – not sure if you're considering issues you're experiencing during the migration – how long are you willing to run forest B without PDC/RID etc?   What I've done in similar situations is to implement an interims forest. Step 1: implement Interims Forest C in Company A's network & migrate objects and resources from divested BU over from Forest A to C. Test that the divested BU works in Forest C and that other Company A Bus continue to work fine as well. Potentially change naming convention of objects to that of Company B during the migration to Forest C. Troubleshoot as necessary. Step2: when ready separate network of Forest C from Company A and integrated it with network from Company B Step3: with sufficient time for planning the integration, migrate objects and resources from Forest C to B. If not done previously, adjust naming of objects convention during this migration.   This sounds like a whole lot of extra work, but usually it pays off: it is the most secure way to separate the divested part of the company and doesn't put either company at (unwanted) risks.  It also gives you more flexibility on when to do which step and won't cause any issues with either of the operational forests.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harvey Kamangwitz Sent: Monday, October 09, 2006 7:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust & divestitures   Hi all,   I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-way forest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.)   - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.   - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back   to Company B, so they're healthy. Though they're at Company A, they are firewalled from A until D-day.   All forest B pocket network DCs can talk to each other as well as back home.   D-Day: - Transfer PDC and RID FSMOs to one of company B's pocket network DCs. (see next step for why.)   - Firewall off communication to company B's network, and open up comm to company A's network.   This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly,   it'll make the PDC available on the company A network for the forest trust setup and the RID master also available   to hand out more RIDs during the migration.   There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs).   - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.   Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.   - Establish the forest trust from A to B.   Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's   resources from A's users, isn't it?   - Do the migration.   - Remove the trust   - Flip the pocket network firewalls back to block network A and allow network B.   - Let replication settle down, then transfer FSMOs back to their original locations.   - misc cleanup, like removing conditional forwarding     Appreciate any fine-tuning of this scenario, thanks!