If I were the security officer for Company B, I would have real
issues with this plan. Most companies with sufficient understanding of AD Security
would not want any of their DCs placed in any location where the other company’s
network is still active (i.e. DCs from company A and company B on same network).
That’s different in a merger, where the full IT infrastructure will be
merged anyways. But you’re talking about a divestiture of a PART of a
company. The plan you’re describing doesn’t really scale well
over time – not sure if you’re considering issues you’re
experiencing during the migration – how long are you willing to run forest
B without PDC/RID etc? What I’ve done in similar situations is to implement an
interims forest. Step 1: implement Interims Forest C in Company A’s
network & migrate objects and resources from divested BU over from Forest A
to C. Test that the divested BU works in Forest C and that other Company A Bus continue
to work fine as well. Potentially change naming convention of objects to that
of Company B during the migration to Forest C. Troubleshoot as necessary. Step2: when ready separate network of Forest C from Company A and
integrated it with network from Company B Step3: with sufficient time for planning the integration, migrate objects
and resources from Forest C to B. If not done previously, adjust naming of
objects convention during this migration. This sounds like a whole lot of extra work, but usually it pays
off: it is the most secure way to separate the divested part of the company and
doesn’t put either company at (unwanted) risks. It also gives you
more flexibility on when to do which step and won’t cause any issues with
either of the operational forests. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Harvey Kamangwitz Hi all, I'm consulting on a divestiture, and naturally the companies
want their respective AD forests to have the minimum amount of contact
necessary to migrate the security principals in the divestiture from company A
to company B. I wanted to sanity check with this brain trust that we can do a
one-way forest trust in this firewalled situation. (They're going to use
Quest Migration Manager for AD, and though technically it doesn't REQUIRE a
one-way trust, the Quest SE says it's an order of magnitude easier. A one-way
outgoing trust has been approved by the various security players so it can be
done.) - ForestA (multiple domains) and ForestB (single domain). In
the beginning, no communication between them. - ForestB DCs are physically landed at various Company A
locations in pocket networks that can talk back to Company B, so they're healthy. Though they're
at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each
other as well as back home. D-Day: - Transfer PDC and RID FSMOs to one of company
B's pocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and
open up comm to company A's network. This will make for a temporarily unhappy company B
forest, but it will be okay for the duration of the migration. More
importantly, it'll make the PDC available on the company A network
for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on
company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find
forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server
in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect
the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A
and allow network B. - Let replication settle down, then transfer FSMOs back to
their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks! |
- [ActiveDir] Forest trust & divestitures Harvey Kamangwitz
- Re: [ActiveDir] Forest trust & divestitur... Al Mulnick
- Re: [ActiveDir] Forest trust & divest... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust & di... Al Mulnick
- Re: [ActiveDir] Forest trust &... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust... Al Mulnick
- RE: [ActiveDir] Forest trust & divestitur... Grillenmeier, Guido
- Re: [ActiveDir] Forest trust & divest... Harvey Kamangwitz
- Re: [ActiveDir] Forest trust & di... Al Mulnick
- RE: [ActiveDir] Forest trust &... Grillenmeier, Guido
- Re: [ActiveDir] Forest trust... Al Mulnick
- RE: [ActiveDir] Forest t... Grillenmeier, Guido
- Re: [ActiveDir] Fore... Harvey Kamangwitz
- RE: [ActiveDir] Forest trust & divestitur... Almeida Pinto, Jorge de