4

I am currently trying to find the most efficient way to split a single domain into two, distinct, fully functional domains.

We have two sites, and several DCs. The sites, Site A, and Site B, are connected by means of a VPN tunnel. Site A contains 3 DCs, including the DC which holds all of the FSMO roles. Site B simply contains 1 single DC, as well as some client workstations. Exchange is not installed on this domain, as both sites use a cloud-based email service. Due to organizational changes within the business, both sites are now going to be completely separate entities-- controlled and managed by different parties. As such, we need to find a way to implement this change in AD. Obviously, one way to do this would be to simply create a new domain at Site B, and migrate the required data from Site A to Site B using ADMT or some 3rd party tool. However, I understand that we'd need some additional server hardware in order to do this, and an ADMT migration does not look like a simple process.

My current plan is this: simply kill the VPN connection between Site A and Site B. Seize ALL of the FSMO roles onto the DC at Site B. Clean up any remnant issues on the domain controllers. If all goes according to plan, we should end up with two identical, functional domains, and both sites can go on with their lives. On each domain, we'd just remove any traces of the other DCs, as if these machines had simply failed.

I know it's unconventional, but is this a completely terrible idea? Are there any caveats here that I should be aware of which would prevent this from working the way I expect? Has anyone tried anything like this before?

Update: For those interested, we did in fact end up going with this plan. Several weeks in, we have had no issues so far. Obviously there is some risk to this, given the fact that it's unsupported by Microsoft-- so I wouldn't recommend this solution to anyone as a first option. However, for those aware of the risks and short on time / resources as we were, know that it is possible to physically split the network and end up with two identical working domains after cleanup / role seizure. Having reduced a full AD migration to about one hour of work, we are pleased with the decision so far. Only time will tell whether or not this was the right choice.

netnovice
  • 41
  • 2
  • I've never gone down that path, but I think your idea would work OK as long as you don't have an DNS (split DNS) issues that would constrain it. However, you'll also want to make sure that intellectual property issues are worked out as well for data/accounts/personal info that might be on both ends and shouldn't. You'll have to kill the VPN first and then sieze the roles on both ends and do the metadata cleanup, but yeah interesting idea that should work. – TheCleaner Oct 24 '14 at 19:39
  • 4
    Sounds like a bad idea. Something fun for a lab, but not fit for real life. It should work, but you never know what's going to happen down the road. If you do go ahead with this somewhat ill conceived idea be sure to reset the `krbtgt` hashes on both ends when it's all done. – Evan Anderson Oct 24 '14 at 19:44

1 Answers1

4

It's not recommended at all to do it the way that you are asking about, especially if there is a chance that machines from either domain will ever have network connectivity to each other again. There's some operational and security risk for this plan.

That said, it's possible to go with your plan, pretty much exactly as you described. Assuming that AD is healthy and there's no DNS overlap (as TheCleaner mentions), it should work OK.

I wouldn't recommend it to anyone to do it that way though - ADMT into a new domain in site B is definitely the right way to go.

Besides, Windows 2003 is damned old and is almost out of support. Set up a new server in B with Win2012 and do this right.

mfinni
  • 36,144
  • 4
  • 53
  • 86