User autentification and access to "sister" domain resources
From: Gera (Gera_at_discussions.microsoft.com)
Date: 01/03/05
- Previous message: Ryan Hanisco: "Re: Monitor ip"
- Next in thread: Ryan Hanisco: "Re: User autentification and access to "sister" domain resources"
- Reply: Ryan Hanisco: "Re: User autentification and access to "sister" domain resources"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 3 Jan 2005 11:55:06 -0800
[this is a long question, and difficult too]
I am in process of designing brand new AD structure for our customer.
A geographic placement is: 3 locations, let's say site A, site B and site C,
connected with 2 mbit links.
I propose a design with root domain and three child domains all with Windows
2003 Servers - pretty classic design (let's say, sites coincide with domains).
Every location (site) with 2 DCs for every child domain and one rootDC1 in
siteA and another rootDC2 in siteB.
All DCs are Global Catalogs.
A customer has some traveling users (notebooks with DHCP in use probably),
which should have possibility to login in any site and have access to local
(domain B) printers and files.
Situation in question is:
- group membership is by AGLP rule
- user_from_domainA arrives in siteB
- user_from_domainA gets IP address from siteB DHCP server
- user_from_domainA is trying to make logon in his remote DC in siteA while
sitting in siteB
- link to all DCs from domain A is suddenly broken, user_from_domainA PC can
log in using cached credentials
- links to nearest rootDC and domainB DCs are ok
- user_from_domainA still needs to print (or share files) to domainB printers
- user_from_domainA doesn't have any accounts in domainB
What will happen in this situation? I can't test this setup right now, so I
am hoping for help from colleagues...
Which DC is used in which moment? Is it enough to have domainB DC online and
valid cached credentials to traverse AGLP path?
And customer doesn't want to place addtional DC in every site (doesn't want
to place domainA DC in site B)
Is there the only solution to use one common domain spanning all 3 locations
or
use some siteB_guest account for access to domain B resources in this
situation?
Is it truly impossible to access "sister" domain resources while client's
own DCs are inaccesible?
Another smaller question about SUS in this setup: is it possible to approve
patches between server located in different domains?
I mean, have main SUS server on a rootDC1 (root domain), subordinate SUS
server on siteA_DC1 (child domain) and approve patches in this cross domain
way?
Thanks for any suggestions,
G.Simonson
IS engineer, MCSE
- Previous message: Ryan Hanisco: "Re: Monitor ip"
- Next in thread: Ryan Hanisco: "Re: User autentification and access to "sister" domain resources"
- Reply: Ryan Hanisco: "Re: User autentification and access to "sister" domain resources"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
