users at remote office cannot access shared dirs in main office...

  • Thread starter Thread starter PinkCrib
  • Start date Start date
P

PinkCrib

background:
2 DCs in the main office with domian name: "company.com"

1 DC in the remote office with local domain name: "company.local".
Users at remote office authenticate locally.

Full T1 interenet at both locations which are connected with VPN tunnel.

problem:
Users at remote office are unable to access the shared folders at the main
office. When they try to do it, the user account will be locked out.

I am told to rebuild all the servers, and create a sub-domain for remote
office. However, it's not possible for us now.
Is it possible to change the remote domain, "company.local" to be
"remote.company.com" and solve the problem?

Thanks
calvin
 
PinkCrib,

Why do you need a sub-domain for the remote office(s)? This usually makes
little sense. The key word being *usually*. Simply make use of Active
Directory Sites and Services, create a second site ( for the other office ),
create the appropriate Subnet ( for the 'remote' location ) and associate
that Subnet with the correct Site! And make sure that you have a
Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
have a private T1 or whatnot connecting the two Sites ).

Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who is
not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites and
Services. And there is nothing wrong with that! This is one of the many
benefits to the news groups.

Is there a specific business requirement for the sub-domain?

Usually when you have a sub-domain ( well, what you have actually is two
separate WIN2000 Forests ) there is a trust in place. The trust simply
makes resources in one domain available to users in another domain.
However, you still need to make sure that the Share and NTFS Permissions are
correct. Even with the trust in place if the permissions are not there then
there will be no access to the resources.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary,
Thanks for the reply. What I try to accomplish here is merely make sure
users at remote office(s) can access the shared folders/files in the main
office.

I thought creating sub-domain is the best practice when you have multiple
sites, and yes we expect to add one or two more satellite offices down the
road, and we might need to access all the network shares across those
offices.

Currently we do have Firewall-to-Firewall VPN between the two Sites and like
you said they are two separated win2k forest. (which we didn't do it right
at the beginning I think)

So, how exactly do we need to accomplish our goal? set up the trust between
two domains?

Thanks again.

Calvin
 
Calvin,

please see comments in-line....

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



PinkCrib said:
Cary,
Thanks for the reply. What I try to accomplish here is merely make sure
users at remote office(s) can access the shared folders/files in the main
office.
Click to expand...

okay, that is clear enough and more than simple enough
I thought creating sub-domain is the best practice when you have multiple
sites, and yes we expect to add one or two more satellite offices down the
road, and we might need to access all the network shares across those
offices.
Click to expand...

This should be no problem at all. Simply create a Site for each new
location in the Active Directory Sites and Services MMC. Create a Subnet
for each location ( for example, Roanoke would be 192.168.1.0, Richmond
would be 192.168.10.0, Blacksburg would be 192.168.20.0 and Raleigh would be
192.168.30.0 ) and associate that Subnet with the correct Site. Then it is
as simple as setting up a Domain Controller in each Site ( make sure that
the DC has the appropriate IP Address! ). Since this would all be
'yourdomain.com' there would be no problem accessing shared folders at all!
Well, assuming that the share and NTFS permissions are correct -AND- that
you are not talking about huge files ( like PowerPoint or Excel ). Then
there will be delays, possibly even timeouts....depending on the bandwidth
of the links.

Creating Sites essentially does two things: controlls Active Directory
replication and assists in logging in. You see, the way that it is supposed
to work in multi-site environments is that the 'local' clients ( let's use
Richmond for this example ) are supposed to authenticate against the 'local'
Domain Controller ( so, against RIC-DC01, for example ). Only if that
'local' DC were not available would the local clients authenticate against a
Domain Controller in another Site ( 'not available', by default, means that
RIC-DC01 does not respond within 100 milliseconds ).

I am not sure that I have read anything stating that setting up a sub-domain
for each location is a Best Practice. Do you have a link to this, or - as I
think - are you just going from what you think that you remember. Not a
problem if that is the case. There is a lot to know and it all kinda gets
convoluted at times.

Do some research on 'Branch Offices'. There are some really good articles
out there about how to best set this up. Microsoft even has a White Paper
on this.

Currently we do have Firewall-to-Firewall VPN between the two Sites and
like
you said they are two separated win2k forest. (which we didn't do it right
at the beginning I think)
Click to expand...

Well, it is a very good thing that there is a Site-to-Site VPN between the
two locations. While I can not say for sure that you have not set things up
correctly in the beginning, but based on what you are telling us that you
want / need I would say that you did indeed have some configuration errors.
That is okay. We can fix this.

So, how exactly do we need to accomplish our goal? set up the trust
between
two domains?
Click to expand...

Well, setting up a trust between these two Forests might be a short cut, but
not what I think that you really want to do ( especially if the possibility
exists that you will have more 'brach offices' ).

Here is the big picture: I would dcpromo the existing Domain Controller (
company.local ) and then format that partition and install WIN2000 all over
again. Once you have set up the Site in Active Directory Sites and Services
in the main office and associated the Subnet with that Site I would make
sure that the WIN2000 Server has the correct IP Address. I would then run
dcpromo, simply adding an additional Domain Controller to an existing
Domain. I would make sure that this DC is also a Global Catalog Server. I
would make sure that this DC also runs DDNS and DHCP. I would make sure
that I then restored ( from back up or, if located on a different partition,
maybe you do not need to worry about this ) all of the user files and
folders ( understanding that the permissions are not going to work! ) are
available. I would then fix this problem.

Now, the biggest problem is that this office ( company.local ) has it's own
set of user account objects. I would look into ldifde to bring all of those
user account objects to an .ldf file and then put that .ldf file on a floppy
( as well as somewhere else ). Then, once you have the Site set up and have
run dcpromo ( to join an additional Domain Controller to an existing Domain
as mentioned above ) I would import those user account objects back ( but
you will have to change the dc=company, dc=local for each user to
dc=company, dc=com.....this should be really really easy in
Notepad.....Also, make sure that you have the correct location....meaning,
if you have an OU called Employees and then have sub-OUs called Marketing
and Sales then the user account objects are going to have DNs that look
something like this:

DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=local
DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=local

Naturally, you will change this DC=local to DC=com. So, the DNs would look
like this:

DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=com
DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=com

When you import the .ldf file you need to make sure that the OU 'Employees'
does indeed exist and that the sub-OUs 'Sales' and 'Marketing' exist. If
this is how things are in the company.com domain then everything is okay.
If this is not how things are then you either need to change the DN: to
reflect how it is ( maybe it is simply CN=Cary Shultz, CN=Users, DC=company,
DC=com ) or you need to create those OUs. Then import the .ldf file to
create the user account objects.

Is this clear?

Then give it time to replicate. Also, you will need to make sure that you
have added the 'new' Site to the DEFAULTIPSITELINK which is located in the
Active Directory Sites and Services MMC.....The Site Link is pretty much the
only thing that you need to do as far as this stuff is concerned. The KCC
with its buddg the ISTG will take care of the rest for you....by default.
 
Forgot to mention that you will also have to join all of the computers to
the 'new' domain. This will mean either that you site at each one and
manually do it or that you look at netdom to do this for you. netdom is a
utility that you get when you install the Support Tools. I would do this on
all of my Domain Controllers!

You will then have to log on as each user as well to create the profile. You
can easily copy the user profile from 'company.local' over to the user
profile for 'company.com' through the Windows Explorer ( you will need to be
a member of the local Administrators group on the specific machine to do
this, though ). There will almost always be minor 'problems' with
this...mostly cosmetic, though.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Okay,

Brain-Fart! You might want to consider using ADMT v2. This will help you
with the computer account migration / user profile problem! Sometimes (
well, usually! ) I need to think before I write! Sorry for the oversight.

So, make sure that there is a trust between the two. The Source Domain (
HQ ) will need to be in Native Mode. Do your thing with ADMT v2. Make sure
that everything is okay. dcpromo the remote office DC to member server.
dcpromo to DC ( as an additional DC in an existing Domain ).....

It is your choice!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary,
Wow!! Let me start by saying "Thank you!"
Thank you for all your detailed information and your times. It's really
really helpful to me.

After reading your reply, I understand at least that we need to rebuild the
domain at the remote office to accomplish our goal.

However, the IT vendor that I'm working with push us to rebuild the whole
domains, including both main and remote locations to use company.local
instead of company.com. I'm still trying to figure out the best solution for
us. Thanks again!

Regards
calvin
 
Calvin,

You are welcome.

Regarding 'company.com' vs. 'company.local' - this is pretty much a moot
point. If you look through this news group - as well as through the DNS
news group - you will see that this is a hotly contested topic with lots of
good reasons on both sides. I would say for the sake of simplicity to use
'company.com' for both your internal and external names space.


--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top