Re: User autentification and access to "sister" domain resources

From: Ryan Hanisco (rhanisco_at_flagshipis.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 15:53:04 -0600

Gera,

Why is it that you want different domains at every site? It seems to make a
lot more sense to keep everything in one domain and define sites, delegating
administration. You really haven't given any really reason to segregate
domains -- political need, reflecting an NT4 structure from legacy (not too
valid a reason), need for boundaries in your Domain Security Policy.

What you are listing is exactly what I would do in an NT4 scenario, but this
doesn't seem like the way to go with AD. Make sure your site links are set
up correctly and your DNS is AD Integrated and you should be able to do
everything you need with OUs and Groups.

As to SUS... I have never tried doing updates from outside the domain, but
I don't see why it wouldn't work as long as the host can resolve the server
name and the SUS policy is set in the local domain. 

-- 
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services
"Gera" <Gera@discussions.microsoft.com> wrote in message
news:4E3742D4-47E7-4BD6-837E-D0159C5EAEBC@microsoft.com...
> [this is a long question, and difficult too]
>
> I am in process of designing brand new AD structure for our customer.
> A geographic placement is: 3 locations, let's say site A, site B and site
C,
> connected with 2 mbit links.
>
> I propose a design with root domain and three child domains all with
Windows
> 2003 Servers - pretty classic design (let's say, sites coincide with
domains).
> Every location (site) with 2 DCs for every child domain and one rootDC1 in
> siteA and another rootDC2 in siteB.
> All DCs are Global Catalogs.
>
> A customer has some traveling users (notebooks with DHCP in use probably),
> which should have possibility to login in any site and have access to
local
> (domain B) printers and files.
>
> Situation in question is:
> - group membership is by AGLP rule
> - user_from_domainA arrives in siteB
> - user_from_domainA gets IP address from siteB DHCP server
> - user_from_domainA is trying to make logon in his remote DC in siteA
while
> sitting in siteB
> - link to all DCs from domain A is suddenly broken, user_from_domainA PC
can
> log in using cached credentials
> - links to nearest rootDC and domainB DCs are ok
> - user_from_domainA still needs to print (or share files) to domainB
printers
> - user_from_domainA doesn't have any accounts in domainB
>
> What will happen in this situation? I can't test this setup right now, so
I
> am hoping for help from colleagues...
> Which DC is used in which moment? Is it enough to have domainB DC online
and
> valid cached credentials to traverse AGLP path?
>
> And customer doesn't want to place addtional DC in every site (doesn't
want
> to place domainA DC in site B)
> Is there the only solution to use one common domain spanning all 3
locations
> or
> use some siteB_guest account for access to domain B resources in this
> situation?
> Is it truly impossible to access "sister" domain resources while client's
> own DCs are inaccesible?
>
>
> Another smaller question about SUS in this setup: is it possible to
approve
> patches between server located in different domains?
> I mean, have main SUS server on a rootDC1 (root domain), subordinate SUS
> server on siteA_DC1 (child domain) and approve patches in this cross
domain
> way?
>
>
> Thanks for any suggestions,
>
> G.Simonson
> IS engineer, MCSE

Relevant Pages

  • Re: SYSVOL GPOs re:copying
    ... If you create a test user account on each DC, does it successfully replicate to each of the other DCs? ... Stop FRS on each of the new DCs. ... open a command prompt and change directory into the GPMC scripts folder. ... The effort and/or risk in fixing this server seems to exceed the ...
    (microsoft.public.win2000.active_directory)
  • Re: PDC Is not replicating !!
    ... server on the replication DC. ... I have ACE server installed. ... > DCs replicating by disabling replication when USN rollback is ... > If you used imaging to copy your production environment into a lab ...
    (microsoft.public.win2000.active_directory)
  • Re: Sites & Services - DSAccess w/E2K3 SP2
    ... I don't believe the firewalls are the issue as they are set to any-any among ... the all the DCs and exchange server. ... All the DCs replicate information in a mesh ... Immediately after upgrading to Exchange 2003 SP2, ...
    (microsoft.public.exchange.admin)
  • Re: LSASS.exe process near 100% usage
    ... Try pulling the network cable from the back of the server when the spike ... Do the DCs ever reboot on their own? ... The DC that was not gracefully demoted, was it a FSMO Role holder? ... 824196 Description of the License Logging Service in Windows Server ...
    (microsoft.public.win2000.active_directory)
  • User autentification and access to "sister" domain resources
    ... I am in process of designing brand new AD structure for our customer. ... 2003 Servers - pretty classic design ... All DCs are Global Catalogs. ... user_from_domainA gets IP address from siteB DHCP server ...
    (microsoft.public.win2000.active_directory)