Domain Controller Migration

[i601254]

Currently have two DC's set up as two sites in one domain. They are currently set to replicate. DC A has three FSMO roles, dc B has the other two. Because of a recent acquisition, I need to split off dc A into a separate network which will serve a small separate group of users. Downtime for dc B is not an option. Here's my plan to this point:

Transfer FSMO roles from dc A to dc B. Set up a third temporary dc (C) to replicate active directory with dc A but not B. Once replication occurs between A and C, demote dc A so that dc B no longer tries to replicate with A. After I am sure that dc B is no longer trying to replicate with any other dc, promote server A back to dc and set to replicate with C. Once active directory is replicated from C to A, demote temporary dc C and remove from the network. If all goes well, I should have two dc's with copies of active directory serving two separate groups on the same domain.

Will this work???? Ultimately what will happen is that the current T1 connection between the dc A and B will be disconnected and each dc will be serving two separate groups of users.

I can't afford to lose active directory from dc A and that's why I decided to install temporary dc C. Is there a better way??

Thank you.

 

[buddafish]

if i follow this, you want to isolate a domain controller in seperate locations with a copy of active directory containing all users from the existing domain (and all active directory information).

currently you have 2 sites defined in AD, replicating on schedual. so all the FSMO roles will be on a DC in site B - which will then have dcA removed (demoted) and the site / subnet removed.

If you truly want to establish 2 unique Domains, then maybe just do that.

Does creating a new Domain in the now isolated site-A present problems? Are the few users in this domain needing to keep thier SID's?

Perhaps create a Child Domain from the Parent Domain for these users.

It sounds to me like you want 2 completely different networks. Never shall the meet...???

scottie

 

[buddafish]

further thinking...
if both server A and B are identical hardware builds,

transfer the FSMO roles from dcA to dcB. Now B holds all FSMO's. Remove Site A from AD. So now, AD thinks it has one Site, one DC. Backup AD on tape, (image the machine if you can)... Restore box with this tape. Now box A thinks it's box B with all FSMO roles and AD that is a mirror of Site B... (i think getting the FSMO roles on two DC's as presented in your idea is not going to be possible, i could be wrong...) Domain name will be the same (be carful with internet presence..) add temp box in this new isolated site and dcpromo it. Move FSMO's, demote box B so you can rename it (if necessary), re-promo and transfer again, demote temp box C and remove.

just an idea

scottie

 

[i601254]

The problem is that these two new domains must remain connected, but not replicating until we get the word to disconnect. At that time the WAN connection between the two will be terminated leaving 2 separate, disconnected networks, each with their own domain controller and copy of active directory.

While I understand that user workstations will have to be joined to the newly created domain, that is a lot easier than losing all SID's since their dc currently acts as a file server as well.

 

[buddafish]

of course, you can NEVER have these servers communicating with each other...

 

[i601254]

I had the same idea as your second post BUT, there can only be on schema master and one domain naming master in the entire forest. The only thing I can think of is that this could be done immediately following the WAN disconnect (??)

 

[buddafish]

i believe that you will have to encounter down-time at one location. if you had the resources, maybe create a duplicate system like a testlab. first, get all those fsmo roles on one server. then back up AD, maybe image if possible. restore this on a testlab server. image site b's dc, restore it on it's equivilent in the testlab. now turn on the testlab, and reduce it down to 1 site and 1 dc. now, when the plug is pulled from site A, (or is it B... ), you can stick this box in place of the exisiting server at that location. after that, if you are using old pc's to make this happen, you can bring down the original server, rebuild it , join the domain.. dcpromo.. ect...

scottie

 

[i601254]

My idea was to take a backup server and install Win2k on it, configure it as a dc as a different domain. Backup AD from server A and restore that to the backup server. When we pull the plug, demote server A, configure it for the new domain, let it replicate AD from the backup server, then demote the backup server. The biggest question I have with that though is AD domain specific? Will copying AD from one domain to another cause problems?

 

[buddafish]

this sounds like building a new forest and the first domain with the first dc. i would bet on some AD issues when you restore another forests AD onto this server even if it is named accordingly.

perhaps the ADMT, Active Directory Migration Tool, can be of some use here.

check out this link:

http://www.microsoft.com/downloads/...b1-5849-4707-9817-8c9773c25c6c&displaylang=en

 

[i601254]

Your absolutely right. Forgot about the migration tool! Thanks for all your help.