Re: What is the best way to administering two separate forests?
From: Sam (sam_at_iQinternet.com)
Date: 05/16/04
- Next message: Jetro: "Re: Dual homed XP one interface dynamic IP"
- Previous message: masters: "ics through dial up on network-win2000+win98se (AOL)"
- In reply to: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
- Next in thread: Steven Umbach: "Re: What is the best way to administering two separate forests?"
- Reply: Steven Umbach: "Re: What is the best way to administering two separate forests?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 16 May 2004 16:46:11 -0400
Hi Steve,
Thanks for the detailed answers. I do like the idea of using ISA boxes for
routing purposes also. I'll post some questions on ISA newsgroups also. This
would eliminate the need for a separate router or Windows box that acts as a
router.
I got a lot of ideas from your responses and do appreaciate your help very
much. Thanks so much.
Sam
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:2cQpc.60513$536.10255547@attbi_s03...
> Hi Sam.
>
> If you are going to have a number of users require access to the other
forest, then
> yes a one way trust would make sense where you are the trusted domain and
they are
> the trusting domain. I hesitate to recommend the best way to interconnect
your
> networks without having more experience on that end with larger networks.
You may
> want to post in the win2000.ras_routing newsgroup and
win2000.active_directory for
> more opinions on that. Usually a router [possibly a Windows box with two
nics] would
> be the solution interconnecting the internal lans but since you say you
are using
> switches/logical networks there may be an easier way or even though the
ISA servers
> since you are on the same external subnet. Gateways will have to be
configured on
> clients/routers possibly so that traffic to the other domain gets sent
there and back
> and not out to the internet router.
>
> Setting up the trust will require that the domains have dns name
resolution between
> them with either the use of "stub" zones or your dns servers in each
domain also
> being secondary dns servers for the opposite domain. If you are using wins
for
> network browsing, then configure the wins servers to be replication
partners with the
> wins servers in the other domain and make sure the domain controllers are
also wins
> clients. After the trust is set up you can add the appropriate users from
your domain
> to the appropriate groups in the other domain. The link below may be
helpful on
> setting up trusts and you may also try an lmhosts file for domain
authentication if
> you have trouble establishing the trust. --- Steve
>
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/domadmin_n_UnderstandTrusts.asp
> http://tinyurl.com/2nbaf --- same link as above in case of wrap
> http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- lmhosts
>
> "Sam" <sam@iQinternet.com> wrote in message
> news:uM2g8y3OEHA.3124@TK2MSFTNGP12.phx.gbl...
> > Hi Steve,
> >
> > First, thanks for your responses. I appreciate you taking the time to
answer
> > my questions.
> >
> > Now that you mentioned a trust relationship, it actually makes sense to
do
> > that. We are very intimate with our client. We also do a lot of
application
> > development and SQL Server management for them.
> >
> > So it's very important for us to be comfortable while we work. For
example,
> > our SQL Server guy should be able to access our client's SQL Server
using
> > his workstation. He should be able to just use SQL Server Enterprise
Manager
> > to pull up client's SQL Server and be able to create tables, etc.
> >
> > Same thing applies to everyone in my company. We also manage our
client's
> > Exchange server. We even do data entry for them. Like I said, the goal
is to
> > keep our network separate AND protected but in the mean time, certain
> > individuals in my company/network should be able tap into the client's
> > network and network resources i.e. Exchange, SQL Server, applications,
etc.
> > for them to be able to do their work.
> >
> > Do you think a one-way trust relationship is the way to go? What about
> > routing? Again, physically, we are in the same building, same wiring,
same
> > swithches. We will just have a separate logical network with a separate
> > forest. How would we tap into our client's network in a one way trust
> > relationship scenario? For instance, how would the SQL guy see our
client's
> > SQL Server in his Enterprise manager if he's on a separate
> > domain/forest/subnet considering that our client's domain/forest trusts
our
> > domain/forest.
> >
> > Thanks for your help Steve.
> >
> > Sam
> >
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:zTOpc.60795$iF6.5423485@attbi_s02...
> > > Hi Sam.
> > >
> > > I think it makes sense to have a workstation on their domain/network.
You
> > bring up
> > > the point about separate forests/subnets which tells me you probably
don't
> > want to go
> > > into creating trusts between the forests, etc. The workstation does
not
> > need to be
> > > fancy and you could share another monitor/keyboard/mouse from another
> > computer via a
> > > KVM switch if you want to save some space and money. If you go that
route,
> > I would
> > > consider allowing only those who should administor the other domain to
> > logon to it
> > > using security policy user rights assignment - log on locally. ---
Steve
> > >
> > > "Sam" <sam@iQinternet.com> wrote in message
> > > news:uMtUhbuOEHA.2704@TK2MSFTNGP10.phx.gbl...
> > > > We're also going to be maintaining our client's Exchange, SQL and
some
> > other
> > > > apps.
> > > >
> > > > So we need to get into their network and do things comfortably. What
do
> > you
> > > > think is the best way for us almost live in their network? I guess
we
> > could
> > > > keep a workstation in their network that we can physically use.
> > > >
> > > > Just trying to figure out the most effective and comfortable way to
> > handle
> > > > this.
> > > >
> > > > Thanks,
> > > >
> > > > Sam
> > > >
> > > >
> > > > "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> > > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > > Since the equipment will be in your office it would make sense to
have
> > a
> > > > domain
> > > > > computer for their domain available to you connected to their
subnet.
> > Just
> > > > make
> > > > > sure that it is hardened and physically secured to some degree as
you
> > will
> > > > be
> > > > > logging onto it with domain admin credentials. You could configure
> > that
> > > > computer
> > > > > to access one of their domain controllers using Terminal Services
> > remote
> > > > > administration or installing Admipak on that computer to
administer
> > the
> > > > domain.
> > > > > Another option would be to use one of your computers to use TS
remote
> > > > > administration to access their domain through the ISA servers,
though
> > that
> > > > would
> > > > > require configuration on their end to allow port 3389 access to
the
> > proper
> > > > > computer on their lan. It would also open a hole in their firewall
> > unless
> > > > they
> > > > > have a vpn connection you can go through. I would not recommend
> > opening
> > > > port
> > > > > 3389 on their end unless you configure their firewall to only
accept
> > port
> > > > 3389
> > > > > connections from your public IP address in order to reduce hacking
> > > > attempts.
> > > > >
> > > > >
> > > > > Should be no problem using their router and internet access. The
ISA
> > > > servers
> > > > > will not allow uninitiated inbound access to each others public IP
> > address
> > > > > unless they are configured to allow it. --- Steve
> > > > >
> > > > > "Sam" <sam@iQinternet.com> wrote in message
> > > > > news:On25kWoOEHA.680@TK2MSFTNGP11.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > We're in a situation where we will be in charge of at least one
> > other
> > > > > > network within the same building. We want to keep our Windows
2003
> > > > > > domain/forest completely separate and independent with it's own
> > subnet
> > > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > > >
> > > > > > 1. Maintain our client's network so we need to be able get into
> > their
> > > > > > network w/ admin rights whenever we need to. As a matter of
fact,
> > their
> > > > > > equipment will physically be in our office. They have their own
> > Windows
> > > > 2000
> > > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > > >
> > > > > > 2. Use their router and T1s for our Internet connection as well.
So
> > the
> > > > > > outside IPs of our ISA Server and their ISA Server will be in
the
> > same
> > > > > > subnet.
> > > > > >
> > > > > > What is the best and most cost effective way to set this up?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Sam
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Jetro: "Re: Dual homed XP one interface dynamic IP"
- Previous message: masters: "ics through dial up on network-win2000+win98se (AOL)"
- In reply to: Steven L Umbach: "Re: What is the best way to administering two separate forests?"
- Next in thread: Steven Umbach: "Re: What is the best way to administering two separate forests?"
- Reply: Steven Umbach: "Re: What is the best way to administering two separate forests?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
