Share via

Configure a domain controller to be isolated

Nicholas Franko 0 Reputation points
2025-01-22T17:47:26.5466667+00:00

I want to validate what I think I need to do. Here is the situation.

Company is selling a location that has an onprem Domain Controller, this domain controller has no schema roles assigned to it. It is the DHCP and DNS server locally as well. The company that is buying requires the domain to still be active as they integrate into their system.

What I have gathered for steps are the following.

  1. Disable inbound and outbound replication on the domain controller.
  2. Remove all domain controllers from ADUC, remove all domain admin accounts except the one create specifically for the buyer. Remove all servers,computers,users that do not belong to the location that is being sold.
  3. On PDC remove the Domain Controller that is associate to the location being sold.
  4. Remove all DNS entries of items not from location being sold

This is just a temporary until the buyer is able to get their domain services setup. Is there anything that I am missing?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Active Directory Federation Services
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 68,850 Reputation points MVP Volunteer Moderator
    2025-01-22T18:14:56.9166667+00:00

    This is a risky operation from the security standpoint - having access to a domain controller by a third party can be exploited (even if you delete the existing object - keep in mind these can be restored within the tombstone interval - even without relying on Recycle Bin) - so be aware of the security implications. But if you're willing to accept the risk, here is what you can try:

    1. Prepare the domain controller for isolation
      • Disable inbound and outbound replication on the domain controller to ensure changes are not propagated.
      • Following isolation, perform metadata clean-up on both sides. Follow https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
      • Remove all domain admin accounts except one created specifically for the buyer.
      • Remove all servers, computers, and users that do not belong to the location being sold.
      • On the PDC Emulator, remove the domain controller associated with the location being sold.
      • Clean up DNS entries to remove references to resources not part of the sold location.
    2. Review/address some of the more obvious security risks
      • Built-in Accounts: Accounts like Administrator, Guest, and krbtgt require special handling to mitigate security risks. Reset their password multiple times. For example, for the krbtgt account: 
               # First Reset
       Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongPassword1!" -Force)

       # Second Reset
       Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongPassword2!" -Force)

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.