How independant a subdomain can be and how long before its parent forgets its identity?

  • 206 Views
  • Last Post 14 April 2016
Zoran posted this 14 April 2016

Hi guys,

I would like to know what happens inside a subdomain if it gets disconnected from its parent domain in terms of internal Kerberos operations (computer/user logons, password management, permissions etc)?

I undersatnd that functionality dependent on forest level FSMO roles would be unavailable for the time the subdomain is disconnected.

Also what happens with AD replication once the subdomain is reconnected back and how long it can be detached without losing any replication functionality in regard to its parent domain?

Please point to some documentation for further research.

Thanks

Zoran

Order By: Standard | Newest | Votes
PARRIS posted this 14 April 2016

Think as independent as your Liver and Kidneys are, but try removing one of them and see how you get on.





Regards,



 



Mark Parris



 



Active Directory & Azure Consultant



 



MVP Enterprise Mobility | MCM Directory Services



Mobile: +44 7801

690596




E-mail: mark@xxxxxxxxxxxxxxxx 



 

Twitter | Blog | LinkedIn | Skype | About.me

show

Zoran posted this 14 April 2016

Thanks Jorge.

show

ZJORZ posted this 14 April 2016

This is not something you should easily. The things I mentioned is basically Windows/AD and the list I mentioned is far from complete. You also have to take into account all the services running in that domain and how those will behave If you need/want more security, migrate to separate forest Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

webster posted this 14 April 2016

“should”

 

 

Webster

 

show

Zoran posted this 14 April 2016

Thanks Jorge. It's a security related scenario I was asked about.

So if the tombstone lifespan is 180 days and the subdomain is reconencted within 180 days, basically everything should work as before?

ZJORZ posted this 14 April 2016

·         After the tombstone lifetime, lingering objects will be your headache and replication breaks·         Cross-authentication to other domains in the same forest won’t work·         Cross-forest authentication when using a forest trust won’t work·         Time sync breaks·         No schema changes·         Tons of errors in DC DS logs This was just I could think of in 10 secs, and there is probably more. Why would you want to do this?  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

Close