active directory question

  • Thread starter Thread starter Auddog
  • Start date Start date
A

Auddog

I'm getting ready to switch over our company over to Windows 2003. We are a
company made up of 3 companies, each with a different name, but under one
umbrella company. I've started to layout the basic structure, but would
like to have input from some experienced users. The overall domain name
would be XYZ.local (umbrella company), with other companies then being part
of XYZ.local. Their names would be Acme.XYZ.local, Generic.XYZ.local and
General.XYZ.local. Does this
layout sound correct so far?

Thanks for any help you might be able to provide.

A
 
What you're describing is an "empty root" domain, where xyz.local will only
contain a minimum of resources, and creating each sub-division as a separate
domain. This is a pretty useful and flexible design, since it allows you to
add and remove sub-divisions without impacting the existing network
structure too terribly much. If you create each domain as a child of the
xyz.local root, then there will be two-way transitive trust relationships
created automatically between all three domains. Additionally, XYZ.local
will house the Enterprise Admins and Schema Admins group, and each domain
will have its own Domain Admins group.

Sofar it sounds like you're on the right track!
 
It's a valid approach, but I must ask why you're going down this route
rather than having a single domain. There may be good reasons for it, but
if you are doing it to prevent administrators of one domain being
administrators of the others (or the root), bear in mind that a forest is a
security boundary and not a domain.

Although not easy, it is possible for an administrator of a child domain to
elevate his privileges to administrator of other domains in the forest.
Basically, all administrators in the forest must be trusted.

Regards

Oli
 
We have just started to connect the offices together via frame relay and now
we want to create a datacenter for centralized administration. What I have
is three companies that currently each have their own domains (xyz, general,
generic). We currently are running Windows 2000 at all the locations. Two
of the locations run their own exchange server (xyz, general). I was
thnking that the scheme I earlier described would be the best. Do you think
their is a better way or easier to administrator.

I have several users that go between all the office weekly and I want to
make sure that they are always connected to the system and can use all the
system resources.

Thanks for the information already provided - it's a great help

A
 
One last thing that I just thought of - we would like to have only one
exchange server in the end.

A
 
Back
Top