Re: What is the best way to administering two separate forests?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/16/04 

Date: Sun, 16 May 2004 20:30:54 GMT

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain and they are
the trusting domain. I hesitate to recommend the best way to interconnect your
networks without having more experience on that end with larger networks. You may
want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with two nics] would
be the solution interconnecting the internal lans but since you say you are using
switches/logical networks there may be an easier way or even though the ISA servers
since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using wins for
network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers are also wins
clients. After the trust is set up you can add the appropriate users from your domain
to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/domadmin_n_UnderstandTrusts.asp
http://tinyurl.com/2nbaf --- same link as above in case of wrap
http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- lmhosts

"Sam" <sam@iQinternet.com> wrote in message
news:uM2g8y3OEHA.3124@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> First, thanks for your responses. I appreciate you taking the time to answer
> my questions.
>
> Now that you mentioned a trust relationship, it actually makes sense to do
> that. We are very intimate with our client. We also do a lot of application
> development and SQL Server management for them.
>
> So it's very important for us to be comfortable while we work. For example,
> our SQL Server guy should be able to access our client's SQL Server using
> his workstation. He should be able to just use SQL Server Enterprise Manager
> to pull up client's SQL Server and be able to create tables, etc.
>
> Same thing applies to everyone in my company. We also manage our client's
> Exchange server. We even do data entry for them. Like I said, the goal is to
> keep our network separate AND protected but in the mean time, certain
> individuals in my company/network should be able tap into the client's
> network and network resources i.e. Exchange, SQL Server, applications, etc.
> for them to be able to do their work.
>
> Do you think a one-way trust relationship is the way to go? What about
> routing? Again, physically, we are in the same building, same wiring, same
> swithches. We will just have a separate logical network with a separate
> forest. How would we tap into our client's network in a one way trust
> relationship scenario? For instance, how would the SQL guy see our client's
> SQL Server in his Enterprise manager if he's on a separate
> domain/forest/subnet considering that our client's domain/forest trusts our
> domain/forest.
>
> Thanks for your help Steve.
>
> Sam
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:zTOpc.60795$iF6.5423485@attbi_s02...
> > Hi Sam.
> >
> > I think it makes sense to have a workstation on their domain/network. You
> bring up
> > the point about separate forests/subnets which tells me you probably don't
> want to go
> > into creating trusts between the forests, etc. The workstation does not
> need to be
> > fancy and you could share another monitor/keyboard/mouse from another
> computer via a
> > KVM switch if you want to save some space and money. If you go that route,
> I would
> > consider allowing only those who should administor the other domain to
> logon to it
> > using security policy user rights assignment - log on locally. --- Steve
> >
> > "Sam" <sam@iQinternet.com> wrote in message
> > news:uMtUhbuOEHA.2704@TK2MSFTNGP10.phx.gbl...
> > > We're also going to be maintaining our client's Exchange, SQL and some
> other
> > > apps.
> > >
> > > So we need to get into their network and do things comfortably. What do
> you
> > > think is the best way for us almost live in their network? I guess we
> could
> > > keep a workstation in their network that we can physically use.
> > >
> > > Just trying to figure out the most effective and comfortable way to
> handle
> > > this.
> > >
> > > Thanks,
> > >
> > > Sam
> > >
> > >
> > > "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > Since the equipment will be in your office it would make sense to have
> a
> > > domain
> > > > computer for their domain available to you connected to their subnet.
> Just
> > > make
> > > > sure that it is hardened and physically secured to some degree as you
> will
> > > be
> > > > logging onto it with domain admin credentials. You could configure
> that
> > > computer
> > > > to access one of their domain controllers using Terminal Services
> remote
> > > > administration or installing Admipak on that computer to administer
> the
> > > domain.
> > > > Another option would be to use one of your computers to use TS remote
> > > > administration to access their domain through the ISA servers, though
> that
> > > would
> > > > require configuration on their end to allow port 3389 access to the
> proper
> > > > computer on their lan. It would also open a hole in their firewall
> unless
> > > they
> > > > have a vpn connection you can go through. I would not recommend
> opening
> > > port
> > > > 3389 on their end unless you configure their firewall to only accept
> port
> > > 3389
> > > > connections from your public IP address in order to reduce hacking
> > > attempts.
> > > >
> > > >
> > > > Should be no problem using their router and internet access. The ISA
> > > servers
> > > > will not allow uninitiated inbound access to each others public IP
> address
> > > > unless they are configured to allow it. --- Steve
> > > >
> > > > "Sam" <sam@iQinternet.com> wrote in message
> > > > news:On25kWoOEHA.680@TK2MSFTNGP11.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > We're in a situation where we will be in charge of at least one
> other
> > > > > network within the same building. We want to keep our Windows 2003
> > > > > domain/forest completely separate and independent with it's own
> subnet
> > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > >
> > > > > 1. Maintain our client's network so we need to be able get into
> their
> > > > > network w/ admin rights whenever we need to. As a matter of fact,
> their
> > > > > equipment will physically be in our office. They have their own
> Windows
> > > 2000
> > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > >
> > > > > 2. Use their router and T1s for our Internet connection as well. So
> the
> > > > > outside IPs of our ISA Server and their ISA Server will be in the
> same
> > > > > subnet.
> > > > >
> > > > > What is the best and most cost effective way to set this up?
> > > > >
> > > > > Thanks
> > > > >
> > > > > Sam
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: creating one way trust
    ... of different forest. ... It sounds for me that you do not need/have a trust, ... Once everything is replicated from the win2k svr. ... Let me try to understan a little more about youre network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Floating Computer between domains
    ... If your domains are in the same forest, they automatically trust each other, you can use that machine to access to different domains in the same forest as long as the permisssions are setup. ... If you opt for not having that machine in either domains, you can manage your network password access through the local user account under control painel. ... I need the workstation machine to be able to float between the two ...
    (microsoft.public.windows.server.active_directory)
  • Re: OLAP and VPN / authentication / trust
    ... You need Network 2 to trust Network 1 users to access the resources on ... This is the essence of a "Trust Relationship". ... attempt to connect to a SQL server on Network2 using credentials like ...
    (microsoft.public.sqlserver.olap)
  • Re: Forest Transitive Trust
    ... But external trust, he will have to create trust between A and C. ... We are ready to begin a network merger. ... Forest function and domain function levels are at 2003 level in both ... Comany1 has a dedicated T1 to Company2. ...
    (microsoft.public.windows.server.active_directory)
  • Re: What is the best way to administering two separate forests?
    ... Now that you mentioned a trust relationship, it actually makes sense to do ... development and SQL Server management for them. ... network and network resources i.e. Exchange, SQL Server, applications, etc. ... We will just have a separate logical network with a separate ...
    (microsoft.public.win2000.networking)