Re: What is the best way to administering two separate forests?

From: Sam (sam_at_iQinternet.com)
Date: 05/16/04

Next message: Reg: "Re: Test questions? (off topic)"
Previous message: Steven L Umbach: "Re: Any Way To Route Outbound Packets on Same Interface as Incoming?"
In reply to: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Next in thread: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Reply: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Messages sorted by: [ date ] [ thread ]

Date: Sun, 16 May 2004 15:34:11 -0400

Hi Steve,

First, thanks for your responses. I appreciate you taking the time to answer
my questions.

Now that you mentioned a trust relationship, it actually makes sense to do
that. We are very intimate with our client. We also do a lot of application
development and SQL Server management for them.

So it's very important for us to be comfortable while we work. For example,
our SQL Server guy should be able to access our client's SQL Server using
his workstation. He should be able to just use SQL Server Enterprise Manager
to pull up client's SQL Server and be able to create tables, etc.

Same thing applies to everyone in my company. We also manage our client's
Exchange server. We even do data entry for them. Like I said, the goal is to
keep our network separate AND protected but in the mean time, certain
individuals in my company/network should be able tap into the client's
network and network resources i.e. Exchange, SQL Server, applications, etc.
for them to be able to do their work.

Do you think a one-way trust relationship is the way to go? What about
routing? Again, physically, we are in the same building, same wiring, same
swithches. We will just have a separate logical network with a separate
forest. How would we tap into our client's network in a one way trust
relationship scenario? For instance, how would the SQL guy see our client's
SQL Server in his Enterprise manager if he's on a separate
domain/forest/subnet considering that our client's domain/forest trusts our
domain/forest.

Thanks for your help Steve.

Sam

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:zTOpc.60795$iF6.5423485@attbi_s02...
> Hi Sam.
>
> I think it makes sense to have a workstation on their domain/network. You
bring up
> the point about separate forests/subnets which tells me you probably don't
want to go
> into creating trusts between the forests, etc. The workstation does not
need to be
> fancy and you could share another monitor/keyboard/mouse from another
computer via a
> KVM switch if you want to save some space and money. If you go that route,
I would
> consider allowing only those who should administor the other domain to
logon to it
> using security policy user rights assignment - log on locally. --- Steve
>
> "Sam" <sam@iQinternet.com> wrote in message
> news:uMtUhbuOEHA.2704@TK2MSFTNGP10.phx.gbl...
> > We're also going to be maintaining our client's Exchange, SQL and some
other
> > apps.
> >
> > So we need to get into their network and do things comfortably. What do
you
> > think is the best way for us almost live in their network? I guess we
could
> > keep a workstation in their network that we can physically use.
> >
> > Just trying to figure out the most effective and comfortable way to
handle
> > this.
> >
> > Thanks,
> >
> > Sam
> >
> >
> > "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> > news:v0xpc.8554$qA.931575@attbi_s51...
> > > Since the equipment will be in your office it would make sense to have
a
> > domain
> > > computer for their domain available to you connected to their subnet.
Just
> > make
> > > sure that it is hardened and physically secured to some degree as you
will
> > be
> > > logging onto it with domain admin credentials. You could configure
that
> > computer
> > > to access one of their domain controllers using Terminal Services
remote
> > > administration or installing Admipak on that computer to administer
the
> > domain.
> > > Another option would be to use one of your computers to use TS remote
> > > administration to access their domain through the ISA servers, though
that
> > would
> > > require configuration on their end to allow port 3389 access to the
proper
> > > computer on their lan. It would also open a hole in their firewall
unless
> > they
> > > have a vpn connection you can go through. I would not recommend
opening
> > port
> > > 3389 on their end unless you configure their firewall to only accept
port
> > 3389
> > > connections from your public IP address in order to reduce hacking
> > attempts.
> > >
> > >
> > > Should be no problem using their router and internet access. The ISA
> > servers
> > > will not allow uninitiated inbound access to each others public IP
address
> > > unless they are configured to allow it. --- Steve
> > >
> > > "Sam" <sam@iQinternet.com> wrote in message
> > > news:On25kWoOEHA.680@TK2MSFTNGP11.phx.gbl...
> > > > Hi,
> > > >
> > > > We're in a situation where we will be in charge of at least one
other
> > > > network within the same building. We want to keep our Windows 2003
> > > > domain/forest completely separate and independent with it's own
subnet
> > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > >
> > > > 1. Maintain our client's network so we need to be able get into
their
> > > > network w/ admin rights whenever we need to. As a matter of fact,
their
> > > > equipment will physically be in our office. They have their own
Windows
> > 2000
> > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > >
> > > > 2. Use their router and T1s for our Internet connection as well. So
the
> > > > outside IPs of our ISA Server and their ISA Server will be in the
same
> > > > subnet.
> > > >
> > > > What is the best and most cost effective way to set this up?
> > > >
> > > > Thanks
> > > >
> > > > Sam
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Next message: Reg: "Re: Test questions? (off topic)"
Previous message: Steven L Umbach: "Re: Any Way To Route Outbound Packets on Same Interface as Incoming?"
In reply to: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Next in thread: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Reply: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: What is the best way to administering two separate forests?
... > Setting up the trust will require that the domains have dns name ... >> our SQL Server guy should be able to access our client's SQL Server ... >> keep our network separate AND protected but in the mean time, ...
(microsoft.public.win2000.networking)
Re: What is the best way to administering two separate forests?
... If you are going to have a number of users require access to the other forest, ... Setting up the trust will require that the domains have dns name resolution between ... network browsing, then configure the wins servers to be replication partners with the ... > development and SQL Server management for them. ...
(microsoft.public.win2000.networking)
Re: OLAP and VPN / authentication / trust
... You need Network 2 to trust Network 1 users to access the resources on ... This is the essence of a "Trust Relationship". ... attempt to connect to a SQL server on Network2 using credentials like ...
(microsoft.public.sqlserver.olap)
Re: Best Practice for multiple servers
... >> separate SQL Server 2000 machine. ... remote access of some ... not set up the network yet. ...
(microsoft.public.windows.server.sbs)
Re: Getting data over to SQL Server CE
... >then that IIS and SQL Server *must both be* on the same machine? ... You can keep both separate but it should be in the same network. ...
(microsoft.public.pocketpc.developer)