Just to add some info here..
I am currently in the middle of an "integration" where one IT group
suggested a split the network to clone the AD environment on both sides.
Thankfully this has been abandoned after being evaluated.
I believe Microsoft Consulting Services called this solution "Dangerous"
and "Disaster Prone", and more importantly, unsupported in a production
environment.
While this is a common scenario in a Prod to Isolated Lab replica, the
dangers are too great to have those domains talk to each other, and potentially
wipe each other out.
If you are dealing with MCS, I can get you the case # for a company
who attempted this, and had a disaster of a time resulting in 10 days of
downtime. In the end, they were left with a limping AD, so it would
have to be rebuilt because it was not sure the true state of this.
Jef
----- Original Message -----
Sent: Saturday, September 16, 2006 8:34
PM
Subject: Re: [ActiveDir] splitting a
domain into two
Yeah. See the problem with that "policy" concept is that in your
environment you've already noticed that good ideas are seldom given a chance
to live long enough to make it to your level :)
That said, I would think it's extremely dangerous to try and break it
like that. Although, it could work, the risk is pretty high that your
networks will be connected long before you have a chance to decommission the
domains leaving you with a potentially difficult name resolution issue to
resolve. There would likely be much wailing and gnashing of teeth as well.
I think in this case, option 3 would be preferred:
3) Leave the domains alone and allow the break of network to occur. When
the WAN links are created to the central hub, migrate as fast as your legs
will carry you. Remember that at that time, your replication will likely
resume. Try to keep a change freeze as long as you can if the networks
will be able to see each other.
It might not be a bad idea to check on the tombstone time and raise that
if you can. WAN links are known to take longer to bring up than any
planning might assume. Put another way, network folks tend to be overly
optimistic when it comes to timing of WAN link configurations.
Be sure to communicate as much as possible about the risks and
tradeoffs. That way you can stick your tongue out later and sing, "I
told ya so!" at the top of your lungs (likely after work and out of earshot of
those that might take offense, but you can at least do so with a clear
conscience.)
My $0.04 (USD) anyway.
Al
On 9/16/06, Kamlesh
Parmar <[EMAIL PROTECTED]> wrote:
Well :-)
I suppose, you are looking at tiny figure of 300 users and why not
choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of
short term decisions as you are.
About migrating to corporate domain, that is achievable as both sites
are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security
translation as preferred method, and we basically have a policy to remove
sidhistory along with demotion of old domain. And here it will be
serialized migration one after another rather than simultaneous.
Assumption here being, once the trust with one domain is established,
machines migrated, trust broken.
I suppose creating trust again with same domain name at different site
should not be a issue.
--
On 9/16/06, joe
<[EMAIL PROTECTED]> wrote:
First
impression: Yuck.
The
main thing that caught my attention is the "migrate into a corporate
domain at a later time". I assume you mean both of these "separated"
domains would be migrated? If so, how do you plan to do the migration? You
won't be able to have name res for the trusts, even if you could you would
most likely run into SID issues if you maintained SID History.
Dear All,
Scenario : Single regional domain , two
sites , both sites having separate links to Internet and direct WAN
connectivity with each other. AD Integrated DNS site1: 300
users site2: 400 users
Now, due to restructuring, they have
decided to get rid of WAN link joining the two sites immediately, as both
sites will have separate individual WAN connectivity with some corporate
hub site. And this domain will be migrated to corporate domain in due
course.
Problem here is the WAN connectivity to hub site will be
commissioned at different times (one month apart) and they want to get rid
of WAN link joining site1 with site2 NOW. Other problems like mail access
and stuff will be handled thru' Internet link.
Now issue is, what
to do about AD Domain? as DCs will lose the direct network
connectivity.
Solution we are looking at is 1) Migrate one of
the locations into separate domain, and thus break the dependence of both
sites on single domain. 2) Just break the network link as requested
and here comes the crummy part :) instead of
migrating one of the site to new domain, you just split the domain into
two isolated networks, where each site DC will think it is the only
DC handling all the stuff for that domain.
Basically, 1) break the
link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta
data & DNS cleanup of other DC
net result : each DC believes
they own the domain. Just make sure they don't talk to each other directly
ever.
Now, Any foreseeable issues with 2nd approach. Please
don't include layer 8 issues ;), I am purely looking at technical
feasibility and precautions if we go ahead.
--
Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Short-term actions X
time = long-term accomplishments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time =
long-term accomplishments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|