Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Split

Status
Not open for further replies.
Lukey

Lukey

Technical User
Joined
Jul 5, 2000
Messages
103
Location
GB
I have a single domain across two separate offices. One office has been sold and we need to cut the link between them. There is a DC at each office. I want to keep the same domain at both offices to start with (they will never be joined again).
Am I right in thinking that I will need to cut the link and then seize the FSMO roles for the server that doesn't hold them ? As long as both servers cannot see each other, both hold FSMO roles and are both Global Catalog Server, users should be able to log on.... I think....
I have never done this before and would be greatful if someone could confirm whether this will work.
Thanks
 
Sort by date Sort by votes
hmm.. well, while this would work, it's dirty! If you clean up the metadata, you should be ok. Remember that you are leaving a copy of your SAM file over in an office no longer controlled by you or your staff, so you will want to change your passwords and your service accounts, etc.

If you are going to do it this way, consider moving all of the roles to the server that you will maintain and once split, seize the roles on the other side.

So, to answer your question... yes, this should work just fine, but it's not very clean. If you are comfortable with restoring a Domain Controller it would be even more preferable to backup to "sold" domain controller, transfer the roles, demote it, sever the link and restore it.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong" :)
 
Upvote 0 Downvote
Thanks very much for your quick replies. I completely agree that it is a bit of a dirty fix although I have a week to do it and it isn't actually the office that I manage. I just needed to come up with a way that 150 users could still login without noticing a difference really. After a month, they are all being moved to a new office and separate domain anyway.
I just wanted to check that this should work in theory.

Many thanks
 
Upvote 0 Downvote
If you're a publicly held US company, I wouldn't do that. SOX compliance issues would prevent such a plan from even being considered. Even if SOX or other regulatory requirements don't stop you, the security implications of your plan are numbing.

What you need to do is stand up a new forest and domain(s), then migrate the users.

gotta hate divestures.

 
Upvote 0 Downvote
xmsre - thanks very much for your reply. As I said before, I understand both the security implications and the poor nature of the fix, although I really don't have a choice at this stage. I will only get chance for one more site visit and the connection to the other DC is to be stopped at the end of next week.

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question Question
Domain Admin Logon
Replies
2
Views
562
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question Question
Domain Controller without DNS Server
Replies
4
Views
1K
fredmartinmaine
fredmartinmaine
froggy8
  • Locked
  • Question Question
cant add my windows 7 pc to my domain
Replies
3
Views
475
hairlessupportmonkey
hairlessupportmonkey
Till
  • Locked
  • Question Question
Domain Admin Login Mail Notification
Replies
1
Views
489
technome
technome

Part and Inventory Search

Sponsor

Back
Top