Reverse Merger or Split of Active Directory

  • 523 Views
  • Last Post 11 August 2015
BrianB posted this 04 August 2015

All:   I am in the beginning throes of trying to plan for a split of our AD environment. We have significant portion of our organization that is moving away from the University into the corporate world. We currently share one AD environment but that will need to split in the near future. We anticipate that applications will take much longer to migrate to one side or the other. Our Identity management solution will eventually have to be split too.

  I am not able to describe the effort well enough in this email but I am sure some of you understand the undertaking. I liken it to a Reverse-merger.

  Does anyone know of any guidance that Microsoft may have pertaining to this? I have seen documentation about how to acquire or merge AD environments, but what I am describing is the reverse of that. I was hoping that Microsoft might have a job aid or whitepaper on this topic that can provide a good source of information for planning and implementation.

  This is not an advertisement for consulting services. We will define that need as we move forward if it is determined by the project team that it is needed.

  If someone knows or has links to documentation and guidance, it would be very much appreciated.

  Thanks,   Brian Britt  

Order By: Standard | Newest | Votes
kennedyjim posted this 04 August 2015

I think you are looking at spinning up a new forest and migrating users, servers/desktops to the new forest.

 

https://technet.microsoft.com/en-us/library/mergersacquisitionsactivedirectorypruneandgraftrestructuringsupportlimitations(WS.10).aspx

 

 

show

K3llybush posted this 04 August 2015

Here are some links I've accumulated.  Basically it sounds like a typical divestiture building out a greenfield forest for the group/groups that will be leaving Vandy.  I've never found a solid document that gave a great overview from MS or anyone else.  It's always just been bits and pieces from all over.  These may be to general for you and if they are I'm sorry, it's just some links I've been adding to over the years.
Download ADMT 3.2 guide from below.http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=enhttp://technet.microsoft.com/en-us/library/cc974332%28WS.10%29.aspxhttp://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllershttp://support.microsoft.com/kb/976659 ADMT 3.2: Common Installation Issueshttp://blogs.technet.com/b/askds/archive/2010/07/09/admt-3-2-common-installation-issues.aspx Checklist: Performing an Intraforest Migrationhttp://technet.microsoft.com/en-us/library/cc974337%28WS.10%29.aspx Checklist: Performing an Interforest Migrationhttp://technet.microsoft.com/pt-pt/library/cc974327%28WS.10%29.aspx Establishing Migration Accounts for Your Migrationhttp://technet.microsoft.com/en-us/library/cc776438%28WS.10%29.aspx Best Practices for Active Directory Migrationhttp://technet.microsoft.com/pt-pt/library/cc974412%28WS.10%29.aspx How to install ADMT 3.2 on Windows 2008 R2 SP1 Domain Controllerhttp://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/26/how-to-install-admt-3-2-on-windows-2008-r2-sp1-domain-controller.aspx Migrating All User Accountshttp://technet.microsoft.com/en-us/library/cc974368%28WS.10%29.aspxhttp://remoteitservices.com/content/migrating-users-windows-2003-windows-2008-using-admt-31-0 Migrated Users Get Prompted To Change Password at First Logon Even After Migrating Their Password with the PEShttp://blogs.technet.com/b/askds/archive/2010/05/12/migrated-users-get-prompted-to-change-password-at-first-logon-even-after-migrating-their-password-with-the-pes.aspx Migrate Workstations and Member Servershttp://technet.microsoft.com/en-us/library/cc974402%28WS.10%29.aspxhttp://blogs.technet.com/b/askds/archive/2010/07/10/migrating-vista-and-windows-7-profiles-with-admt-3-2.aspx Enabling Migration of Passwordshttp://technet.microsoft.com/en-us/library/cc974435%28WS.10%29.aspx Migrating Vista and Windows 7 profiles with ADMT 3.2http://blogs.technet.com/b/askds/archive/2010/07/10/migrating-vista-and-windows-7-profiles-with-admt-3-2.aspx Managing Users, Groups, and User Profileshttp://technet.microsoft.com/en-us/library/cc974331%28WS.10%29.aspx Translating Security in Add Modehttp://technet.microsoft.com/en-us/library/cc974439%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc782157%28WS.10%29.aspxhttp://technet.microsoft.com/es-es/library/cc780450%28WS.10%29.aspx Troubleshooting KB’shttp://support.microsoft.com/kb/841820 Troubleshooting Password Migration Issueshttp://technet.microsoft.com/en-us/library/cc974377%28WS.10%29.aspx Troubleshooting Computer Migration Issueshttp://technet.microsoft.com/en-us/library/cc974341%28WS.10%29.aspx ADMT, RODC’s, and Error 800704f1http://blogs.technet.com/b/askds/archive/2009/10/19/admt-rodc-s-and-error-800704f1.aspx
Thanks,
Kelly Bush

-------- Original Message --------
Subject: RE: [ActiveDir] Reverse Merger or Split of Active Directory


show

barkills posted this 04 August 2015

From an AD perspective, this is a partial domain migration, and if some of the identities are needed in both ADs, then you don’t delete all of the users you move. ADMT can handle this, and if you do need to not

delete some of the migrated users, then you’d want to do two separate ADMT user migrations.

 

Groups add an additional complexity, but they shouldn’t be a show-stopper.

 

Depending on what’s behind the design of your AD, this may be much more complicated.

 

show

SamErde posted this 04 August 2015

Couple of clarifying questions. I work at an organization that once split a forest into 3 (2 user/apps forests for different divisions and 1 Exchange resource forest). Right now we're re-consolidating into a greenfield and having even more fun. (!)
Questions: 
1 - It sounds like both forests will remain in-house, as opposed to the corporate half of the forest completely leaving the organization. Is that correct?2 - Will you be requiring an Exchange resource forest for a shared Exchange infrastructure, or will you maintain separate Exchange environments? (If using an Exchange resource forest, are Lync and SharePoint also involved?)
Also, props to Kelly for the great list of links. It looks like he's done this before, too!
- Sam


show

BrianB posted this 04 August 2015

Sam,

 

This will be a complete separation. Some of the other specifics we do not know offhand.



 

Each entity will be managed by separate will have their own IT staff at the end.

Each entity will have their own Email.



Each entity will have their own Identity management solution.



 

One entity will get the current AD and Identity management, the other will greenfield AD and IDM. Some applications will need to migrate to the greenfield but

we see this as a long multi-year process. Some application may be AD aware and get benefit from the trust we establish while there may be other applications that only know LDAP and are setting the searchbase as dc=domain,dc=edu. We think that these applications

may not be able to benefit from the trust between the two forests.

 

Brian



 

show

K3llybush posted this 05 August 2015

So one of the biggest things during the transition and coexistence period is fighting.  Basically it always boils down to a turf war somehow and someway... One thing I can't stress enough is a clear plan on who does what, who owns what, when who does what starts and ends, when ownership is taken, and who decides what finished looks like or "project finalization attestation" (I tried to make that segment longer, I really did...).  Right now it's just you guys but in the end it's going to be two separate teams; during the transition or divestiture to the separate entity you are (you as in Company A) basically going to be an MSP regardless if it's laid out like that contractually. Service X is going to be provided to Company B in some form, keep that in mind because more often than not Company A is going to want to recoup the cost of either providing the service or transitioning the service.  For the Nashville Healthcare IT world, (and a great all around example) this is HCA and LifePoint.  After LPNT split they left everything with HCA / Parallon and now they want it back or moved in-house, this becomes a pain because they hang off the HCA forest (this is where you go back and read sentence two).    
One thread you mentioned that the users may have multiple IDs in two separate forest, I promise you from experience this is a nightmare to manage and should be avoided or limited if possible.  I do understand the reasoning but just keep in mind this is definitely one of those things you put in the issues column.   If you can put a trust in place and allow the access back, and LDAP works, you can buy yourself some time and ease the transition.  If you can truly build a greenfield on the right with a trust back then you're a lot better off than some people (ie. LifePoint).  
I don't think of it as application migrations either, it's data right?  If the app can be brought up fresh on the right, then all you really need to do is identify the data from the app on the left the new company needs.  The point there is, is that you're not fork lifting the application and server because you can't, it's still being used on the left in perpetuity.  You have to define who owns what data and the data is fork-lifted from left to right on such and such date.  I mean it's a lot more complicated than (infinitely more) that but that's my line of thinking on application divestiture.  Also, if it's possible I wouldn't migrate computers either.  For the servers I would do what I previously mentioned (where you can) and for the computers I'd do the same with fresh deployments.  A lot of times I've seen it goofed when you're migrating a computer then you're doing security translation, then you're modifying the registry to fix an app, then you have to make sure scripts are changed, etc.  For me, the small wins are the best.  Test the HELL out of it and move it in small manageable chunks.  The big bangs seldom work because each department or line of business within a company is different.  I've never really seen a one size fits all.
Didn't mean to ramble, hope this gets you thinking in the direction you need to go. 
Thanks,
Kelly Bush

-------- Original Message --------
Subject: RE: [ActiveDir] Reverse Merger or Split of Active Directory
From: "Britt, Brian" <brian.britt@xxxxxxxxxxxxxxxx>
Date: Tue, August 04, 2015 1:36 pm
To: "activedir@xxxxxxxxxxxxxxxx" <activedir@xxxxxxxxxxxxxxxx>

#wmQuoteWrapper /* Font Definitions / @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} #wmQuoteWrapper @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} #wmQuoteWrapper / Style Definitions */ p.MsoNormal, #wmQuoteWrapper li.MsoNormal, #wmQuoteWrapper div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper a:link, #wmQuoteWrapper span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} #wmQuoteWrapper a:visited, #wmQuoteWrapper span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} #wmQuoteWrapper span.hoenzb {mso-style-name:hoenzb;} #wmQuoteWrapper span.EmailStyle18 {mso-style-type:personal; font-family:"Calibri",sans-serif; color:#1F497D;} #wmQuoteWrapper span.EmailStyle19 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;} #wmQuoteWrapper .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt; font-family:"Calibri",sans-serif;} #wmQuoteWrapper @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} #wmQuoteWrapper div.WordSection1 {page:WordSection1;} Sam,   This will be a complete separation. Some of the other specifics we do not know offhand.   Each entity will be managed by separate will have their own IT staff at the end. Each entity will have their own Email. Each entity will have their own Identity management solution.   One entity will get the current AD and Identity management, the other will greenfield AD and IDM. Some applications will need to migrate to the greenfield but we see this as a long multi-year process. Some application may be AD aware and get benefit from the trust we establish while there may be other applications that only know LDAP and are setting the searchbase as dc=domain,dc=edu. We think that these applications may not be able to benefit from the trust between the two forests.   Brian   From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Sam Erde
Sent: Tuesday, August 4, 2015 12:09 PM
To: ActiveDir List
Subject: Re: [ActiveDir] Reverse Merger or Split of Active Directory   Couple of clarifying questions. I work at an organization that once split a forest into 3 (2 user/apps forests for different divisions and 1 Exchange resource forest). Right now we're re-consolidating into a greenfield and having even more fun. (!)   Questions:    1 - It sounds like both forests will remain in-house, as opposed to the corporate half of the forest completely leaving the organization. Is that correct? 2 - Will you be requiring an Exchange resource forest for a shared Exchange infrastructure, or will you maintain separate Exchange environments? (If using an Exchange resource forest, are Lync and SharePoint also involved?)   Also, props to Kelly for the great list of links. It looks like he's done this before, too!   - Sam  

show

BrianB posted this 11 August 2015

I have been doing some research and found a Gartner article called, “Migration Considerations for Active Directory” with a lot of useful information – for anyone

who cares about this topic. Unfortunately I cannot republish it here but if you have access to Gartner, you can look up the article yourself. It may also be published publically but I have not looked to see if it is.



 

Brian B.  

 

show

kebabfest posted this 11 August 2015

Once you have made the decision on which way the split is going the next decision is which tools best suit your environment.
I have run both a merger and a demerger. Both have their challenges. The demerger is actually politically easier and everybody knows where they stand at the end. Running a migration where you are putting together 2 it departments is a real bun fight.
I can recommend the quest tool set if time is your enemy. You can move 100s of users\mailboxes\workstations easily. After the user\workstation migration was well underway then you can start applications. 
A forest trust worked well between the green field and existing site. Shares /apps etc. were all repermissioned in advance and Sid history was used to access them.
The biggest challenges were around bespoke and poorly designed applications. Very quickly we realised that mangers were expecting us to fix previously existing bugs ! At this point "like for like" became our modus operandis. E.g. If an application was only  half working before the migration we weren't taking the responsibility of it being fully functionality after it.

show

BrianB posted this 11 August 2015

We are seriously looking at a VDS (Virtual Directory Server) solution and building a greenfield environment to provision new users and groups to via an IDM solution

– TBD. We will have our apps point to the VDS rather than the domain and let that middleware translate what is needed. That will be in place for some time while users and groups are newly provisioned to the new AD environment and removed from the old AD environment.

The VDS SHOULD make migrations seamless and give time to rebuild applications in the new AD environment which then will use the identities and groups in the new AD.

 

Does anyone have recommendations for a VDS solution. Gartner mentions Dell VDS and OptimalIDM.



 

Another option is to use a consolidated directory. But that will require yet another directory service and a metadirectory of some sort. FIM was mentioned in

the article for this method.

 

Brian B.

 

 

 

show

Close