Jimmy Harper said:Hi Ted. The following article describes how to set up a one-way trust
between Windows 2000 domains (a two-way trust is just two one-way trusts, so
this article still applies for that):
http://support.microsoft.com/default.aspx?scid=KB;EN-US;309682
For this two work, the domain controllers for each domain will need to be
able to find each other through DNS. You can do this by setting up
secondary zones. For example, the DNS server(s) in Domain A will have a
secondary zone for domain B and vice versa.
--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
Ted said:This is not required at he momentbut useful in any case...Thanks...
Windows 2
(or
Ted said:Thank you very much Jimmy Harper...
This is certainly helpful...
To elaborate on my company's current scenario...We are a small Company (50
Users) managing a number of Product Lines (4 main Product Groups)!
We are planning the use of Server2000 Platform. Requirements include the
following:
1. Creating a PRIMARY logon Domain (DOM 01) for all users to logon to. This
would have to be the Dedicated Forest Root Domain (DFR Domain). I don't see
any potential complications here.
2. Creating a number of domains (say DOM 02 through DOM 05); One DOMAIN per
product group.
3. Each Domain should be independent from every other (including DOM 01) in
all respects BUT one...they will be required to allow DOM 01 users to access
data & applications (primarily SQL). This will require the Trust
Relationship between DOM1 and each ofthe other Domains DOM 02 thro DOM 05
(DOM 02 thro DOM 05 do NOT have to have Trust between them)! Just to give
you an Idea, the MAX number of users accessing EACH Domain Resource
(primarily SQL Database) will be limited to say 25...
4. Each of the Domains DOM 02 thro DOM 05 (i.e. any of the Product Groups),
e.g. DOM 05, should be designed to be SEPARATED (spun-off) FROM the current
design and form an entirely NEW forest in the future (if requred)! This
should leave the rest of the structure unchanged or unaffected other than
that the Users will NOT have acess to resources from DOM 05 (example).
5. Very important s the minimization of OVERHEAD...I am referring to the
creation of say as few Forests (preferably ONE) for the whole "Topology" to
minimise he OVERHEAD (administration & maintainance) to the bare MINIMUM!
6. The NEW Design should be capable of taking us through to the year 2008
(at least)...
The questions to be answered are:
1. Does a ONE single FOREST Design allow all the criteria listed above?
2. If NOT which Criteria will be negatively affected (not fulfilled) by
choosing the Single Forest Scenario?
3. Can one actually Separate say DOM 05 and establish a new Forest with DOM
05 as the Dedicated Forest Root Domain (DFR Domain)? Is this possible at
all? In other words what are the consequences in the event that DOM 05 is
split from the rest of the structure?
4. With regard to the DFR Domain...the Big Q is; Should one go for a Child
Domain under the FDR Domain which should host all Users or can one simply
use the DFR Domain for this purpose? MS Suggest not using the DFR Domain
forsuc purposes...but we are a small company...
5. If one decided to Create Child Domains (DOM 02 thro DOM 05) under the DFR
then the OVERHEAD would certainly be minimised ...NO argument there...BUT
the BIG Qs are:
(a) Could the automatically created Trusts betwen DOM 02 thro DOM 05 be
REMOVED (undone)?
(b) Could the Child Domain be separated in the future (Basically Q 3)?
6. In the event that answer to 5(a) is NO...I assume that DENYING Users from
DOM 02 thro DOM 05 access to each other's Domain Resources is the ONLY way
of keeping them away from these Resources. Correct? Any other options?
7. Why do I get the feeling that I might have to COMPROMISE (a loooooooot)?
I have lots of Qs but these are in my opinion the most important ones...I
want to fullfil all the Criteria BUT at the same time I need to MINIMISE the
OVERHEAD to MINIMUM? How can that be achieved? Please bear in mind that as a
small company (50 Users) we are looking to keep things as smple as possible.
Certainly Multiple Forests is NOT the way to go...The OVERHEAD will be a
KILLER! A nightmare I would suggest!
What other options are there? A better design? A different Structure?
I am open to any/all suggestions...
Thanks for all your feedbacks...lets discuss this issue and get things
rolling...
Thanks fora all the help you can give me here...
Ted
trusts,Jimmy Harper said:Hi Ted. The following article describes how to set up a one-way trust
between Windows 2000 domains (a two-way trust is just two one-waybetweenso
this article still applies for that):
http://support.microsoft.com/default.aspx?scid=KB;EN-US;309682
For this two work, the domain controllers for each domain will need to be
able to find each other through DNS. You can do this by setting up
secondary zones. For example, the DNS server(s) in Domain A will have a
secondary zone for domain B and vice versa.
--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
Ted said:This is not required at he momentbut useful in any case...Thanks...
These ones are useful too:
306733 HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows
NT
http://support.microsoft.com/?id=306733
308195 HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows
2000
http://support.microsoft.com/?id=308195
Hope this helps!
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Currently I'm looking into the options of having Users from ONE Win2K
domain
access up to 4 Independent Win2K domains. The setup tequires trust
relationships.
I cannot find MUCH on the Internet on the subject of TRUSTS2 you
know wrote
in
Jimmy Harper said:Hi Ted. The only supported way to do what you are describing would be to
create each domain in a separate forest. Separating a domain from the
forest is not supported and will likely result in problems. Same thing with
removing trust relationships between domains in the same forests.
If you do not want to create separate forests then you might want to think
about how much security you need between the domains. If you only need to
prevent DOM02 users from accessing certain resources in DOM05, then this can
be done. If you need a complete security boundary between them, then they
will need to be created in separate forests.
If you create the domains in the same forest and one of them eventually
needs to be split off into it's own forest, one option would be to create a
new domain in a new forest, then use the ADMT (Active Directory Migration
Tool) to migrate the users and computers to the new forest.
Here are some links that should be helpful in planning an Active Directory
deployment:
Best Practice Active Directory Design for Managing Windows Networks -
http://www.microsoft.com/technet/tr.../prodtechnol/ad/windows2000/plan/bpaddsgn.asp
Windows 2000 Domain Architecture: Design Alternatives -
http://www.microsoft.com/technet/tr.../prodtechnol/ad/windows2000/plan/w2kdomar.asp
Best Practice Active Directory Deployment for Managing Windows Networks -
http://www.microsoft.com/technet/tr...nol/ad/windows2000/deploy/depovg/bpaddply.asp
--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
asTed said:Thank you very much Jimmy Harper...
This is certainly helpful...
To elaborate on my company's current scenario...We are a small Company (50
Users) managing a number of Product Lines (4 main Product Groups)!
We are planning the use of Server2000 Platform. Requirements include the
following:
1. Creating a PRIMARY logon Domain (DOM 01) for all users to logon to. This
would have to be the Dedicated Forest Root Domain (DFR Domain). I don't see
any potential complications here.
2. Creating a number of domains (say DOM 02 through DOM 05); One DOMAIN per
product group.
3. Each Domain should be independent from every other (including DOM 01) in
all respects BUT one...they will be required to allow DOM 01 users to access
data & applications (primarily SQL). This will require the Trust
Relationship between DOM1 and each ofthe other Domains DOM 02 thro DOM 05
(DOM 02 thro DOM 05 do NOT have to have Trust between them)! Just to give
you an Idea, the MAX number of users accessing EACH Domain Resource
(primarily SQL Database) will be limited to say 25...
4. Each of the Domains DOM 02 thro DOM 05 (i.e. any of the Product Groups),
e.g. DOM 05, should be designed to be SEPARATED (spun-off) FROM the current
design and form an entirely NEW forest in the future (if requred)! This
should leave the rest of the structure unchanged or unaffected other than
that the Users will NOT have acess to resources from DOM 05 (example).
5. Very important s the minimization of OVERHEAD...I am referring to the
creation of say as few Forests (preferably ONE) for the whole "Topology" to
minimise he OVERHEAD (administration & maintainance) to the bare MINIMUM!
6. The NEW Design should be capable of taking us through to the year 2008
(at least)...
The questions to be answered are:
1. Does a ONE single FOREST Design allow all the criteria listed above?
2. If NOT which Criteria will be negatively affected (not fulfilled) by
choosing the Single Forest Scenario?
3. Can one actually Separate say DOM 05 and establish a new Forest with DOM
05 as the Dedicated Forest Root Domain (DFR Domain)? Is this possible at
all? In other words what are the consequences in the event that DOM 05 is
split from the rest of the structure?
4. With regard to the DFR Domain...the Big Q is; Should one go for a Child
Domain under the FDR Domain which should host all Users or can one simply
use the DFR Domain for this purpose? MS Suggest not using the DFR Domain
forsuc purposes...but we are a small company...
5. If one decided to Create Child Domains (DOM 02 thro DOM 05) under the DFR
then the OVERHEAD would certainly be minimised ...NO argument there...BUT
the BIG Qs are:
(a) Could the automatically created Trusts betwen DOM 02 thro DOM 05 be
REMOVED (undone)?
(b) Could the Child Domain be separated in the future (Basically Q 3)?
6. In the event that answer to 5(a) is NO...I assume that DENYING Users from
DOM 02 thro DOM 05 access to each other's Domain Resources is the ONLY way
of keeping them away from these Resources. Correct? Any other options?
7. Why do I get the feeling that I might have to COMPROMISE (a loooooooot)?
I have lots of Qs but these are in my opinion the most important ones...I
want to fullfil all the Criteria BUT at the same time I need to MINIMISE the
OVERHEAD to MINIMUM? How can that be achieved? Please bear in mind thata
small company (50 Users) we are looking to keep things as smple as possible.
Certainly Multiple Forests is NOT the way to go...The OVERHEAD will be a
KILLER! A nightmare I would suggest!
What other options are there? A better design? A different Structure?
I am open to any/all suggestions...
Thanks for all your feedbacks...lets discuss this issue and get things
rolling...
Thanks fora all the help you can give me here...
Ted
trusts,Jimmy Harper said:Hi Ted. The following article describes how to set up a one-way trust
between Windows 2000 domains (a two-way trust is just two one-waybetweenso
this article still applies for that):
http://support.microsoft.com/default.aspx?scid=KB;EN-US;309682
For this two work, the domain controllers for each domain will need to be
able to find each other through DNS. You can do this by setting up
secondary zones. For example, the DNS server(s) in Domain A will have a
secondary zone for domain B and vice versa.
--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
This is not required at he momentbut useful in any case...Thanks...
These ones are useful too:
306733 HOW TO: Create a Trust Between a Windows 2000 Domain and a
Windows
NT
http://support.microsoft.com/?id=306733
308195 HOW TO: Establish Trusts with a Windows NT-Based Domain in
Windows
2000
http://support.microsoft.com/?id=308195
Hope this helps!
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Currently I'm looking into the options of having Users from ONE Win2K
domain
access up to 4 Independent Win2K domains. The setup tequires trust
relationships.
I cannot find MUCH on the Internet on the subject of TRUSTSconfers2
(or
more) Win2K DOMAINS.
Pleasepost back with links and/or other documentation & info if you
know
of
such relevant info...
Thanks a lot in advance...
Ted
A user can access more than one domain if there are trust relations
between
those domains.
Cheers.
norights.
in
message Hi,
I would like to know if it is possible to create 1 user
who has access to 2 different windows 2000 damoins ?
Thanks