"Isolating" domain controllers - short term impacts

[wallst32]

First of all, I do not agree this is a good solution, but it is not my call to make. There is a single domain with 5 domain controllers. The proposed plan is to take retire 2 of these systems, and isolate the remaining 3. By isoloate, I mean they will be on different networks and never communicate with each other again. All 3 will have the FSMO roles seized on to them. So essentially there are 3 "new" domains all with the same descriptive name and resources (user accounts, computers, etc).

All the servers which were part of the single domain will all be moved to one of the 3 domains.

All workstations will be moved to a 4th domain. But they will still need to access resources in any of the 3 other domains. There will be no trust relationships setup.

At what point will the 3 original domains become out of synch with each other? Assuming the domain is called DOMAIN, at some point the user account DOMAIN\JDOE will continue to only authenticate with one of the domains, but not other two, correct?

Don't ask me why it's being done this way, but this is the current proposed plan.

 

[pagy]

Huh?? Do what??

There will be no trust relationships setup.

Without trusts you won't be able to access info in the other 'domains' (unless terminal services is used I suppose). You won't even be able to create trusts as the domain and netbios names will be the same in all these 'domains'.

I really don't understand what is trying to be achieved here but based on your initial post I cannot see that idea ever working. Perhaps you could tell us what is trying to be achieved....


Paul
MCSE


If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[wallst32]

You don't need a trust to access resources in other domains. You just need to explicitly authenticate.

For example, i I have DOMAINA and DOMAINB, and I have user accounts called DOMAINA\JDOE1 and DOMAINB\JDOE2;

-from DOMAINA I can authenticate to resources in DOMAINB with my DOMAINB\JDOE2 account and vice versa the other way.

 

[pagy]

Yeah ok.

But correct if I've misunderstood. You are taking 3 domain controllers and splitting them up, seizing roles on each one and I assume cleaning up the metadata on them as well. So you will then have 3 domains all with the same domain name??



Paul
MCSE


If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[Davetoo]

What you are being told to do is completely assinine, pardon my French.

What you need to tell the powers to be (after telling them to stuff it), is that you need to create three disparate domains, and then setup a trust relationship among them so that users from all three domains will be able to have proper security identifiers setup and proper accesses granted through NTFS permissions.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[technome]

Wallst32....
Current Plan..<lol>
I suggest you procure employment at another firm; the powers that be in your place thrive on ignorance and ineptitude. There knowledge of Active Directory likely resulted from a 45 minute lecture at the nearest IT trade show.
I wonder how long it took them to come up with this totally absurd scenario?



........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[terry712]

so if they do this what are you actually doing with the member servers - ie for data , printing etc