Moving site server (not PDC) into it's own new domain keeping current user accounts and permissions intact on file shares

Question

I haven't been officially Microsoft trained so forgive my incompetence discussing what we want done and how to go about it.

We currently have a MPLS style network hosting different sites which each have their own DC, OU and file/folder/print shares. We also have a centrally located PDC behind the MPLS firewall which is accessible from all of the sites in question. What we need to do is remove an onsite DC away from the domain keeping the previous AD user accounts, passwords, file/folder permissions and print shares (GP) intact and change the domain name whilst making it completely independent (disjoining the site from MPLS connectivity) on it's own new domain and promote it to a PDC. I've had a look through the ADMT tool which seems to migrate all the SiDs to a new target domain, but from what I gather in doing so would involve using a new box to act as a PDC and this would also mean that file/folder permissions would not be carried over to the new domain. If at all possible I'd like to do this from the site DC without using any other box's to act as an interim DC or alike.

I wanted to know if anyone has any experience doing this sort of task and whether anyone had any advice in doing so?

Answer 1

There's a lot more detail to this than a simple question can answer, so I'll add the disclaimer that you really need to hire an AD consultant to walk you through this.

There hasn't been a "primary domain controller" in years, thanks to Active Directory. Everything is handled by FSMO roles, which are services provided by the domain controllers. One of those roles is the PDC Emulator, which allows legacy systems to continue talking to the domain.

Anyway, the basic gist is that you want to move all your FSMO roles to the one that's staying in your office, then physically move the other domain controller to the satellite site. Once it's there, and disconnected from the other domain controller, you can seize the FSMO roles and make it its own little kingdom.

One problem that you'll need to solve is users that move between the two sites. Computers will be very unhappy to interact with two alternate-reality domains. One solution may be to migrate to a new domain after everything is working at your new site.