Active Directory Merger, Acquisition, and Divestiture: Restructuring Limitations

Applies To: Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2

When a company acquires another company, business unit, or product line, the purchasing company may also want to acquire corresponding IT assets from the seller. Specifically, the buyer may want to acquire some or all of the domain controllers that host the user accounts, computer accounts, or security groups that correspond to the business assets that are to be purchased. The only supported methods for the buyer to acquire the IT assets that are stored in the seller's Active Directory forest are as follows:

  1. Acquire the only instance of the forest, including all domain controllers and directory data in the seller's entire forest.

  2. Migrate the needed directory data from the seller’s forest or domains to one or more of the buyer's domains. The target for such a migration may be an entirely new forest or one or more existing domains that are already deployed in the buyer's forest. We recommend that you migrate the directory data without security identifier (SID) history. If you migrate the directory data with SID history, information about the seller's forest will be retained in the new forest of the buyer. For more information about migrating directory data without SID history, see Migrating Accounts Without Using SID History (https://go.microsoft.com/fwlink/?LinkId=113694).

This support limitation exists because:

  • Each domain in an Active Directory forest is assigned a unique identity during the creation of the forest. Copying domain controllers from an original domain to a cloned domain compromises the security of both the domains and the forest. Threats to the original domain and the cloned domain include the following

    • Sharing of passwords that can be used to gain access to resources

    • Insight regarding privileged user accounts and groups

    • Mapping of IP addresses to computer names

    • Additions, deletions, and modifications of directory information if domain controllers in a cloned domain ever establish network connectivity with domain controllers from the original domain

  • Cloned domains share a common security identity; therefore, trust relationships cannot be established between them, even if one or both of the domains have been renamed.