I have a domain spanning a few sites. Nothing fancy, just one domain. The sites are all connected via VPN and each site has a Windows 2003 R2 domain controller.
For an assortment of reasons, one of those remote sites is leaving my little domain "family." I will be disconnecting the VPN soon and turning them loose to be autonomous. I'm pondering on the best approach to keep that site up and running independently after the VPN is gone. (I should mention that I will have physical access to the newly disconnected site after the VPN is dropped.)
I see a few options.
1) Do nothing. Well, I'd change their domain admin password after the VPN drop but then just leave things alone. Will that now "orphaned" domain controller run into issues? It certainly won't have all the FSMO roles... but can that be fixed?
2) Demote the current DC. Re-premote it into a new domain. Remove their client machines from the old domain and re-add them to the new domain. There are some SQl Server boxes running as service accounts from the old domain that I'd have to fix up but otherwise...?
3) Open to other more logical ideas.
How would you approach this? Are either of my options viable? I think option 2 makes the most sense, but also the most effort. I'm limited a bit by how much time I'll have to get these configured so this option does make me a bit nervous.
Figure I'd turn to the experts before I roll up my sleeves. Can't help but suspect there's a better way.
Option 2 is going to leave you with a lot of work in terms of service accounts, user profiles, file share permissions, GPO modifications, etc.
Personally I'm for option number 1 with a few warnings\caveats:
Make sure both DC's are GC's, make sure DNS is AD integrated, make sure replication is on the money, stop making any further changes (creating or modifying objects), wait until replication quiesces, disconnect the networks, sieze the FSMO roles on the orphan DC, clean up the metedata to remove any trace of the other DC (in both domains), and make sure that the two networks\domains are never, ever connected together again.
I'm sure others here will have other opinions and advice for you so don't be hasty to make a decision.
*****EDIT*****
I'm thinking that in theory option 1 should present the same scenario and the same tasks as if a DC in the domain were "ungracefully" removed from the domain. As long as the two networks\domains are never connected again I don't see any issues with this option.
in thinking on just make a new domin and disjoin and rejoin the clients at the remote site (as long as there aint 100s of them!) it all depends on what is using your AD deployment at the other site. SQL, SharePoint, Exchange ect ect. Let us know.
Think hard about this as you will find that you may have some issues with Forest level stuff like a Schema for a start. As painful as it may be it may be option 2. i will take a look at this as i aint been in your shoes for a long while.
This question is very similar to this items: http://www.petri.co.il/forums/showthread.php?p=72644.
I am researching the possibility of doing the very same domain split. For us it is necessary for a network security / compliance reason. We have a number of Web (IIS 6) and SQL servers attached to a 2003 AD domain (Single Site currently) and need to split the domain in 2 with one half to be left as-is (run down over the next 2-3 years as our Non-Compliant Network), while the other half has tighter security applied and kept updated to conform to the security regulations we are working towards (Compliant Network).
I am well aware that the domains must NEVER EVER be reconnected after the split and Domain FSMO roles have been seized to the separate network.
I plan to use the advice in the thread I attached above, I am first running a lab test with multiple DC's and a couple of web servers, to prove this process works. I think in my situation it will work best if we create a separate Active Directory Site (probably named 'compliant network' or similar!) and we will issue new ip addresses to the servers to be split off and then associate these addresses with the 'compliant network' and the move the servers within 'Active Directory Sites and Services' to the new 'compliant network' site. This will then aid the Active Directory cleanup afterwards as (in the compliant network) we will be able to remove all servers not in the 'compliant network' and in the 'non-complaint network' we will be able to remove all server references for servers that have moved to the 'compliant network'
I'll keep an eye on experts feed back and comments on these postings - and feed back what I discover from my lab test(s).