Share via

Configure a domain controller to be isolated

Nicholas Franko 0 Reputation points
2025-01-22T17:47:26.5466667+00:00

I want to validate what I think I need to do. Here is the situation.

Company is selling a location that has an onprem Domain Controller, this domain controller has no schema roles assigned to it. It is the DHCP and DNS server locally as well. The company that is buying requires the domain to still be active as they integrate into their system.

What I have gathered for steps are the following.

  1. Disable inbound and outbound replication on the domain controller.
  2. Remove all domain controllers from ADUC, remove all domain admin accounts except the one create specifically for the buyer. Remove all servers,computers,users that do not belong to the location that is being sold.
  3. On PDC remove the Domain Controller that is associate to the location being sold.
  4. Remove all DNS entries of items not from location being sold

This is just a temporary until the buyer is able to get their domain services setup. Is there anything that I am missing?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,599 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,821 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,288 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 32,510 Reputation points MVP
    2025-01-22T18:14:56.9166667+00:00

    This is a risky operation from the security standpoint - having access to a domain controller by a third party can be exploited (even if you delete the existing object - keep in mind these can be restored within the tombstone interval - even without relying on Recycle Bin) - so be aware of the security implications. But if you're willing to accept the risk, here is what you can try:

    1. Prepare the domain controller for isolation
      • Disable inbound and outbound replication on the domain controller to ensure changes are not propagated.
      • Following isolation, perform metadata clean-up on both sides. Follow https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
      • Remove all domain admin accounts except one created specifically for the buyer.
      • Remove all servers, computers, and users that do not belong to the location being sold.
      • On the PDC Emulator, remove the domain controller associated with the location being sold.
      • Clean up DNS entries to remove references to resources not part of the sold location.
    2. Review/address some of the more obvious security risks
      • Built-in Accounts: Accounts like Administrator, Guest, and krbtgt require special handling to mitigate security risks. Reset their password multiple times. For example, for the krbtgt account: 
               # First Reset
       Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongPassword1!" -Force)

       # Second Reset
       Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongPassword2!" -Force)

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.