Skip to main content

Testing the separation of two AD domains [Resolved]

We are currently working on a so called carve-out project, i.e. part of a larger company OLDCO got sold separately and the new entity builds up a new Active Directory domain NEWCO. During the transition phase both the OLDCO domain controllers as well as the NEWCO domain controllers as well as the clients share in IP address space. The NEWCO domain trusts the OLDCO domain for the time being, so one can for example authenticate to a NEWCO client machine using an OLDCO user account.

Obviously by the end of the transition phase the OLDCO AD will be gone, possibly by separation of networks which will take place only in some remote future.

We are now looking for a way to make sure we can test applications for their dependency to OLDCO. I.e. if we have moved application X to new servers which are domain members of NEWCO how can we make sure we do not use any OLDCO resources anymore without possibly noticing.

We thought of implementing some firewall rules which can be easily switched on and off which would temporarily prevent any access to the OLDCO comain controllers from any migrated application servers as the best simulation of "no longer there", but would that be a valid test?

Not being too sure about AD internals, for example, I have no idea if NEWCO domain controllers would possibly cache any data from the OLDCO domain as long as the trust is there and that cache might expire at a point in time where the OLDCO DCs will have been gone and problems will hit us long time after testing that looked successful.

Has anyone successfully done a project like that before and possibly any other idea how to simulate such as carve-out in an AD forest?

Question Credit: TorstenS
Question Reference
Asked July 13, 2019
Posted Under: Network
1 Answers

Your Answer