Re: Active Directory split

Giganews Newsgroups
Subject: Re: Active Directory split
Posted by:  Paul Bergson [MVP-DS] (
Date: Fri, 7 Nov 2008

Hello Luka,
If you are going to do a migration you should convince your management that
you need to establish a trust between the two domains.  If you have the trust
established then you can migrate the users, computers, groups, etc... and
the security permissions associated with objects.  Otherwise you will be
stuck with recreating every single attribute.  Not a good option even on
a small 200 user network.

Other than that you will be forced to do all manually and users will be stuck
with maintaining two id's and authenticating in each domain.  Although you
could look at the stored passwords option in XP, but I hate allowing passwords
of any type to be saved.

Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.

> I’m preparing for AD split for the company that will separate from the
> main company. After the split they’ll have only few servers in new AD
> (all servers are W2k3 R2; MS cluster with 2 nodes (file server, print
> server, SQL, Lotus Notes, …), AD server, Oracle, …) and about 200
> users/computers located on few, VPN connected, locations round the
> Europe. We are not allowed to enable trusts between two domains! We
> will export/import all users, computers, printers, security groups, …
> from the main domain to new one. We plane to move computers into new
> domain location by location. Users will for now have the same
> passwords on both sides.
> And now the problem. When I try to connect to a share located on our
> file server (old domain), from the testing computer that is already in
> new domain, I’m prompted to enter username and password.
> Is there a way to work around this prompt without adding all users
> into local users container on all our member servers?
> Is it possible to configure Windows server 2003 to forward
> authentication only with username without domain name?
> Or maybe someone has batter idea?
> Thx, Luka



In response to

Active Directory split posted by Luka Obersnu on Fri, 7 Nov 2008