|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Remote AD domain design
I have an Australian client upgrading from an NT4 domain to a 2003 domain. We need to join an existing 2003 domain/forest which their parent company in the UK is currently running. We need to be able to log onto our local domain controllers and configure Australian users, gpos etc without the ability to affect other parts of the domain or forest. We also need to connect to the existing UK exchange domain (Australian office will be migrating from Lotus Notes) as there will be only one email domain for the entire forest. I had thought of a child domain joined to the UK forest, which I have tested in a vmware environment and it appears to allow us to have control over our own domain and to connect to the existing exchange domain. I have since been told that having a single domain is now best practice. I don't belive that we would be able to log into our own domain controllers unless we were domain admins. While I agree a centrally managed single domain would be preferrable, we don't want to rely on tech support from a completely different time zone to us. Could anyone shed some light on a way of designing the Australian AD domain or point me in the direction of where I could find some more information on similar AD designs? Any help would be greatly appreciated. You are correct, if you are under a single domain your abilities on the DC's
would probably be minimal if non-existent. If you were to wait and upgrade to Windows 2008 they could create a RODC (Read Only DC) and provide you access to the DC but I'm guessing what you want it won't solve. It is best practice to have a single domain, but the domain admins could provide you with delegated authority on specific tasks you might need. What is it specifically you need to do that the centralized site can't provide to you? I have worked in huge organizations before (At least big for me 55,000 users I know there are much bigger but this was a world wide operation) and we were always able to delegate and or provide services for everything that was needed. -- Paul Bergson MVP - Directory Services MCT, MCSE, MCSA, Security+, BS CSci 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. Show quote "Thorny" <Tho***@discussions.microsoft.com> wrote in message news:2B9AF4FA-DAF0-4FB0-BD5E-EB96FCEF09A6@microsoft.com... > Hi Guys, > > I have an Australian client upgrading from an NT4 domain to a 2003 domain. > We need to join an existing 2003 domain/forest which their parent company > in > the UK is currently running. We need to be able to log onto our local > domain > controllers and configure Australian users, gpos etc without the ability > to > affect other parts of the domain or forest. We also need to connect to > the > existing UK exchange domain (Australian office will be migrating from > Lotus > Notes) as there will be only one email domain for the entire forest. > > I had thought of a child domain joined to the UK forest, which I have > tested > in a vmware environment and it appears to allow us to have control over > our > own domain and to connect to the existing exchange domain. I have since > been > told that having a single domain is now best practice. I don't belive > that > we would be able to log into our own domain controllers unless we were > domain > admins. While I agree a centrally managed single domain would be > preferrable, we don't want to rely on tech support from a completely > different time zone to us. > > Could anyone shed some light on a way of designing the Australian AD > domain > or point me in the direction of where I could find some more information > on > similar AD designs? > > Any help would be greatly appreciated. Hi Paul,
Thanks for the reply. In comparison to your 'big' companies, this would be a tiny company, but I appreciate what you're saying. We generally deal with much smaller domains which we centrally manage so I am trying to get my head around the concept of a geographically dispersed domain over different countries. The main reason we want a seperate domain is the parent company in the UK does not want to provide 'follow the sun' support to the Australian company, so we if there are any issues with the VPN link or the servers in the UK we have to wait until they are back online to do anything. This has meant in the past that the Austalian office can be without emails for an entire day. We want to minimise the effect this has on our Australian users. While our DC's would still be operational, we would need to rely on the UK to fix any problems. A seperate domain would also give us the ability to setup a ..com.au email domain which can be sent and received in Australia rather than the global .com address which would be routed through the UK. From some testing that I have done, if the VPN link or Main Exchange server was to go down, exchange mailboxes become inaccessable (although cached exchange mode will still allow users to log into mailboxes and create draft emails that will be sent when everything comes back online). I have been told by a few people that it is best practice to have a single domain instead of a child domain, but can you give me some reasons why the child domain would cause grief over the single domain? I can't seem to find much info regarding this. Thanks for your help, I look forward to your response. Show quote "Paul Bergson [MVP-DS]" wrote: > You are correct, if you are under a single domain your abilities on the DC's > would probably be minimal if non-existent. If you were to wait and upgrade > to Windows 2008 they could create a RODC (Read Only DC) and provide you > access to the DC but I'm guessing what you want it won't solve. It is best > practice to have a single domain, but the domain admins could provide you > with delegated authority on specific tasks you might need. > > What is it specifically you need to do that the centralized site can't > provide to you? I have worked in huge organizations before (At least big > for me 55,000 users I know there are much bigger but this was a world wide > operation) and we were always able to delegate and or provide services for > everything that was needed. > > -- > Paul Bergson > MVP - Directory Services > MCT, MCSE, MCSA, Security+, BS CSci > 2003, 2000 (Early Achiever), NT > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Thorny" <Tho***@discussions.microsoft.com> wrote in message > news:2B9AF4FA-DAF0-4FB0-BD5E-EB96FCEF09A6@microsoft.com... > > Hi Guys, > > > > I have an Australian client upgrading from an NT4 domain to a 2003 domain. > > We need to join an existing 2003 domain/forest which their parent company > > in > > the UK is currently running. We need to be able to log onto our local > > domain > > controllers and configure Australian users, gpos etc without the ability > > to > > affect other parts of the domain or forest. We also need to connect to > > the > > existing UK exchange domain (Australian office will be migrating from > > Lotus > > Notes) as there will be only one email domain for the entire forest. > > > > I had thought of a child domain joined to the UK forest, which I have > > tested > > in a vmware environment and it appears to allow us to have control over > > our > > own domain and to connect to the existing exchange domain. I have since > > been > > told that having a single domain is now best practice. I don't belive > > that > > we would be able to log into our own domain controllers unless we were > > domain > > admins. While I agree a centrally managed single domain would be > > preferrable, we don't want to rely on tech support from a completely > > different time zone to us. > > > > Could anyone shed some light on a way of designing the Australian AD > > domain > > or point me in the direction of where I could find some more information > > on > > similar AD designs? > > > > Any help would be greatly appreciated. > > > You could have the DC(s) with your own Exchange server in Australia, within
the single domain. It would hold all of your mailbox stores, I would recommend this anyway unless there are only a few people in this site. A lot of what your fighting will end up being political and that is where you need to make your argument. If you have multiple domains within a single AD 2003 forest you should have an implicit trust, but then you have to start managing AD objects in multiple domains. It can become a pain to have to track down where one object is trying to access another and being denied or a password reset, etc... Things are just so much simpler if you can keep it all within one domain. Once you have multiple domains replication becomes more complex, now your global catalogs have to start keeping track of all the different objects for each domain via a partial replica set. Like in AD where each domain admin wants autonomy, remote domains wants full control of there environment and that starts to extend into other areas dns, dhcp, wins, etc... You start to add additonional workload which costs labor dollars for duplicity of responsibility. -- Paul Bergson MVP - Directory Services MCT, MCSE, MCSA, Security+, BS CSci 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. Show quote "Thorny" <Tho***@discussions.microsoft.com> wrote in message news:B6E3C2B1-87B4-488F-BDBA-BA72B795E179@microsoft.com... > Hi Paul, > > Thanks for the reply. In comparison to your 'big' companies, this would > be > a tiny company, but I appreciate what you're saying. We generally deal > with > much smaller domains which we centrally manage so I am trying to get my > head > around the concept of a geographically dispersed domain over different > countries. > > The main reason we want a seperate domain is the parent company in the UK > does not want to provide 'follow the sun' support to the Australian > company, > so we if there are any issues with the VPN link or the servers in the UK > we > have to wait until they are back online to do anything. This has meant in > the past that the Austalian office can be without emails for an entire > day. > We want to minimise the effect this has on our Australian users. While > our > DC's would still be operational, we would need to rely on the UK to fix > any > problems. A seperate domain would also give us the ability to setup a > .com.au email domain which can be sent and received in Australia rather > than > the global .com address which would be routed through the UK. > > From some testing that I have done, if the VPN link or Main Exchange > server > was to go down, exchange mailboxes become inaccessable (although cached > exchange mode will still allow users to log into mailboxes and create > draft > emails that will be sent when everything comes back online). > > I have been told by a few people that it is best practice to have a single > domain instead of a child domain, but can you give me some reasons why the > child domain would cause grief over the single domain? I can't seem to > find > much info regarding this. > > Thanks for your help, I look forward to your response. > > "Paul Bergson [MVP-DS]" wrote: > >> You are correct, if you are under a single domain your abilities on the >> DC's >> would probably be minimal if non-existent. If you were to wait and >> upgrade >> to Windows 2008 they could create a RODC (Read Only DC) and provide you >> access to the DC but I'm guessing what you want it won't solve. It is >> best >> practice to have a single domain, but the domain admins could provide you >> with delegated authority on specific tasks you might need. >> >> What is it specifically you need to do that the centralized site can't >> provide to you? I have worked in huge organizations before (At least big >> for me 55,000 users I know there are much bigger but this was a world >> wide >> operation) and we were always able to delegate and or provide services >> for >> everything that was needed. >> >> -- >> Paul Bergson >> MVP - Directory Services >> MCT, MCSE, MCSA, Security+, BS CSci >> 2003, 2000 (Early Achiever), NT >> >> http://www.pbbergs.com >> >> Please no e-mails, any questions should be posted in the NewsGroup >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "Thorny" <Tho***@discussions.microsoft.com> wrote in message >> news:2B9AF4FA-DAF0-4FB0-BD5E-EB96FCEF09A6@microsoft.com... >> > Hi Guys, >> > >> > I have an Australian client upgrading from an NT4 domain to a 2003 >> > domain. >> > We need to join an existing 2003 domain/forest which their parent >> > company >> > in >> > the UK is currently running. We need to be able to log onto our local >> > domain >> > controllers and configure Australian users, gpos etc without the >> > ability >> > to >> > affect other parts of the domain or forest. We also need to connect to >> > the >> > existing UK exchange domain (Australian office will be migrating from >> > Lotus >> > Notes) as there will be only one email domain for the entire forest. >> > >> > I had thought of a child domain joined to the UK forest, which I have >> > tested >> > in a vmware environment and it appears to allow us to have control over >> > our >> > own domain and to connect to the existing exchange domain. I have >> > since >> > been >> > told that having a single domain is now best practice. I don't belive >> > that >> > we would be able to log into our own domain controllers unless we were >> > domain >> > admins. While I agree a centrally managed single domain would be >> > preferrable, we don't want to rely on tech support from a completely >> > different time zone to us. >> > >> > Could anyone shed some light on a way of designing the Australian AD >> > domain >> > or point me in the direction of where I could find some more >> > information >> > on >> > similar AD designs? >> > >> > Any help would be greatly appreciated. >> >> >>  |
|||||||||||||||||||||||
Other interesting topics