AD Separation methodologies

  • 183 Views
  • Last Post 19 October 2016
skopuula posted this 10 October 2016

Hello Every one, 
Hope you  are dong good.
I'm working on a requirement where we have to separate  active directory separation
Would you please help with the possible standard  methods  for AD Separation and pros, cons of each method
Thanks for your support
Best Regards,
SRK

Order By: Standard | Newest | Votes
skopuula posted this 14 October 2016

Hi All,
Any Help on this?
Regards,Srinivas

show

darren posted this 14 October 2016

Srinivas-

I think you need to be a bit more specific. This is a very general request and I’m not even sure what it relates to. What do you mean by “AD separation”? Are you talking about

“Red Forests”? Or something else?

 

Darren

 

show

skopuula posted this 14 October 2016

Hi Darren,
Thanks for response,
We have an Active Directory with 100000 users (Parent Company), where we have to separate 20000 users to new AD (New separated company) as part of company de-merger.
I'm looking for possible methods to to achieve this.
Regards,Srinivas




show

g4ugm posted this 14 October 2016

You haven’t said what if any links you need between the environments. If they are separate, they are separate, no problems.  Problems occur when you need to access resources in one environment from the other.  Dave Wade  

show

PARRIS posted this 14 October 2016

In this scenario, it is often not the sellers problem, but that of the buyers. Most companies just want a list of users who have been acquired by the new business and the data (subject

to the applicable laws in force).

 

In your story it an internal spilt and you will be supporting both environments?

 

What needs to be in the new AD environment?



 

Email?

Data?

Applications?

 

 

 

 

Regards,

 

Mark Parris

 

Cloud | Identity | Security

 

MVP Enterprise Mobility | MCM Directory Services

Mobile:

+44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx

 

Twitter

| Blog

| LinkedIn

| Skype

| About.me

 

 



 

show

jeremyts posted this 14 October 2016

Yes, it can be a massive cost. You ask for the standard methods and pros and cons of each. But we need the goals of the de-merger from the business perspective,

so we know what you need to end up with at an IT level.

 

After the de-merger, will it still be owned by the same parent company?

Does the de-merger include workstations/devices?

Do you need to maintain passwords?

If there is a new buyer, do they have an existing AD? What end state do they need for handover?

And as Mark points out, what about data, apps, email, etc?

 

Is ADMT the right tool?

 

With that many users I would assume you’d have some form of IAM product in place, like FIM/MIM. You could easily use that to provision a new AD.

 

So many questions

J

 

show

VolkerE posted this 14 October 2016

Oh yes, Jeremy is so right.

20.000 out of 100.000 and you have the list of users. Well, from that information base I would say.

 

I assume that software distribution, exchange, file servers, print server and so on also have to be split.

6-9 month project with a team not doing the split for their first time.

AD is the basis for all this service so the other teams will be happy if you give them the SID history.

Therefore I would use ADMT or if there is some more money the Dell Migration Manager for Active Directory.

 

Other tips: Never to a domain split. Never!

 

BR,

Volker

 

show

skopuula posted this 15 October 2016

Hi Dave,
Thanks for the response.Link will be there during resource / data center migration. Trust will be removed post that.Once Separation completed they may not communicate each other.
Regards,Srinivas




show

skopuula posted this 15 October 2016

Dear Mark,
Thanks for response,
My scope is only have to separate infrastructure.We have to separate all the resources (Email, Apps, SharePoint, Citrix, SCCM, data) along with AD.
Regards,Srinivas




show

VolkerE posted this 19 October 2016

Hi,

 

Sorry for the late reply.

 

-         

Build new Active Directory environment

-         

Install ADMT on separate server

-         

Configure password export server

-         

Test ADMT procedures

-         

Make a migration plan



o  

Who can I migrate when?



o  

Can I migrate all at the same time?

-         

Talk to the Exchane guys

-         

Freeze/Reduce number of changes in AD

-         

Migrate all users and group object to the new forest for testing


(Just objects, don´t inform the user)

-         

Test

-         

Test

-         

Test

 

From this point I can´t give a real advice. It´s too company specific.


Maybe it works for you to update:

-         

Migrate the users by groups by



o  

Update user and group Objects



o  

Migrate computers to the new AD and update security and profiles

-         

Migrate servers and reACL them

 

That´s it in a quick and dirty bulled point list.

 

 

show

Close