Re: [ActiveDir] splitting a domain into two
Just to add some info here.. I am currently in the middle of an "integration" where one IT group suggested a split the network to clone the AD environment on both sides. Thankfully this has been abandoned after being evaluated. I believe Microsoft Consulting Services called this solution "Dangerous" and "Disaster Prone", and more importantly, unsupported in a production environment. While this is a common scenario in a Prod to Isolated Lab replica, the dangers are too great to have those domains talk to each other, and potentially wipe each other out. If you are dealing with MCS, I can get you the case # for a company who attempted this, and had a disaster of a time resulting in 10 days of downtime. In the end, they were left with a limping AD, so it would have to be rebuilt because it was not sure the true state of this. Jef - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Saturday, September 16, 2006 8:34 PM Subject: Re: [ActiveDir] splitting a domain into two Yeah. See the problem with that "policy" concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, "I told ya so!" at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual
RE: [ActiveDir] splitting a domain into two
You said both sites have Internet connectivity, can you not configure replication through a VPN between the sites? A lot of implementations have replication across firewalls in that manner. And if not, what about dial-up between them? 700 users to what, maybe 2000 objects thats not a lot of replication traffic to keep the DCs in the two sites in sync. Id surely think that would be easier to work out than breaking up your domain and dealing with the aftermath Rich From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Saturday, September 16, 2006 8:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] splitting a domain into two Yeah. See the problem with that policy concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, I told ya so! at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Friday, September 15, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] splitting a domain into two Dear All, Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other. AD Integrated DNS site1: 300 users site2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity. Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested
Re: [ActiveDir] splitting a domain into two
Thanks, I have already been suggested that option in a private mail... and I think, it might be way more feasible than earlier adventurous idea. :-)Just in case, someone needs it, here is the link, for AD replication over VPN http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx --KamleshOn 9/18/06, Rich Milburn [EMAIL PROTECTED] wrote: You said both sites have Internet connectivity, can you not configure replication through a VPN between the sites? A lot of implementations have replication across firewalls in that manner. And if not, what about dial-up between them? 700 users to what, maybe 2000 objects – that's not a lot of replication traffic to keep the DCs in the two sites in sync. I'd surely think that would be easier to work out than breaking up your domain and dealing with the aftermath… Rich From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Saturday, September 16, 2006 8:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] splitting a domain into two Yeah. See the problem with that policy concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, I told ya so! at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Friday, September 15, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] splitting a domain into two Dear All, Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other. AD Integrated DNS site1: 300 users site2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want
Re: [ActiveDir] splitting a domain into two
Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~ -- ~Short-term actions X time = long-term accomplishments.~
Re: [ActiveDir] splitting a domain into two
Yeah. See the problem with that policy concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, I told ya so! at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the migrate into a corporate domain at a later time. I assume you mean both of these separated domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~ -- ~ Short-term actions X time = long-term
RE: [ActiveDir] splitting a domain into two
First impression: Yuck. The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 usersNow, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~
