Re: Multiple Domains
From: Chuck (none_at_example.net)
Date: 06/07/04
- Next message: Chuck: "Re: ip address tweaking"
- Previous message: Steve - Gosford Australia: "TCP/IP Problem"
- In reply to: James: "Re: Multiple Domains"
- Next in thread: James: "Re: Multiple Domains"
- Reply: James: "Re: Multiple Domains"
- Messages sorted by: [ date ] [ thread ]
Date: 7 Jun 2004 18:04:06 -0500
On Mon, 7 Jun 2004 12:31:05 -0700, "James" <anonymous@discussions.microsoft.com>
wrote:
>Chuck,
>
>THanks for the response!
>
>Please clarify for me, is this:
> 1) A user with a laptop that she wants to connect to a network in a different
> domain, and access resources there?
>Yes...she has one laptop that she takes back and forth to 2 different locations, each with their own domains, resources etc. For example, when she logs in here she is user vhope on domain DFW01...at the other location, she is vhope on DFW02.
>Both domains are on the same WAN, but apparently don't have trust relationships set up.
> 2) A user who wants to login to desktop computers located in a remote location,
> and access resources there?
>No
>
> And, are the two domains connected by a WAN? YES
>
>Thanks!
James,
Any corporation with any electronic infrastructure (IOW, any corporation) needs
to have its own security policy. And you will have to try and reconcile my
recommendations with your CSP, and with your domain structure, since I have no
idea what either contains. So here goes.
This is the quick solution, which supports one computer:
Since your network contains the home domain for VHope, you leave the laptop
joined to domain DFW01. Whenever she connects to your network, she can simply
login as "VHope" in a normal domain login.
You (are you domain admin for DFW01?) need to then setup her laptop to permit
local login to users in domain DFW02. When she needs to use her DFW02 account
(and she can do this from your network too), she can do a "local" login as
"DFW02\VHope". This will override the default authentication with her home
domain DFW01, and authenticate her with DFW02.
Of course, authenticating with DFW02 from your network, depending upon the size
of the pipe between DFW01 and DFW02, may be substantially longer than from
within the DFW02 network. But it will allow you to test the concept.
When she connects to the DFW02 network, she will still login "locally" as
"DFW02\VHope". She can then access her DFW02 domain profile and associated
data.
The advantage of this procedure is that she will be able to use her DFW01 and
DFW02 domain profiles (including persistent network connections) and associated
data, on the laptop, as appropriate, from either network.
This is the more formal solution, which supports multiple computers:
You, and a domain administrator for DFW02, need to establish a trust
relationship between the two domains. When that is done, any computer joined to
either domain, such as VHope's laptop, will by default, permit local login to
users in both domains (selected from the pull down domain list in the login
wizard).
VHope would then select which ever domain she wishes to authenticate with, at
her convenience. She could authenticate with either domain, when connected to
either network.
The advantage of this solution is that it is generally more scalable, should
additional employees need to migrate between the two locations. It may be more
preferred by your CSP also.
Which ever solution you decide to use, James, remember that it should conform to
your CSP.
Please let me know your thoughts in this matter so far, and tell me if I need to
include some more detail.
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
- Next message: Chuck: "Re: ip address tweaking"
- Previous message: Steve - Gosford Australia: "TCP/IP Problem"
- In reply to: James: "Re: Multiple Domains"
- Next in thread: James: "Re: Multiple Domains"
- Reply: James: "Re: Multiple Domains"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
