Re: How to setup authentication across domains within a forest?
anonymous_at_discussions.microsoft.com
Date: 04/13/04
- Next message: Dmitry Korolyov [MVP]: "Re: domain log in thinks it is local log in?"
- Previous message: Jimmy Andersson [MVP]: "Re: DC not demoted and removed out of AD"
- In reply to: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Reply: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 13 Apr 2004 06:47:17 -0700
Thanks for your suggestion, Ulf!
In fact, a single AD domain would eliminate concerns re:
enabling traveling users to authenticate across the
forest, regardless of their location. DCs for the domain
could be distributed across regions. Security management
could be delegated at the OU level. Replication traffic
could be limited via the use of regional AD Sites.
That we could minimize replication traffic across the WAN
by using a combination of regional domains and sites.
However, I assumed that AD replication occurs at the
forest level and domain level. That regional domains
could be used to restrict replication traffic. That
domain-level replication would be restricted to DCs within
the domain. That a combination of regional domains and
regional Sites could help minimize replication traffic.
The following quote was taken from Microsoft's online
Windows 2003 Server Deployment Guide (Active Directory
section): "Domains are used to partition the directory so
that the information in the directory can be distributed
and managed efficiently throughout the enterprise. The
goal for your domain design is to maximize the efficiency
of the Active Directory replication topology while
ensuring that replication does not use too much available
network bandwidth and does not interfere with the daily
operation of your network."
Have I missed something here? -ed
>-----Original Message-----
>Ed Levis says...
>> We are thinking of configuring 3 regional [NA|EU|AP]
>> domains within a single AD forest. Our primary goal is
>> efficient replication; secondary goal is domain level
>> resource management. Our biggest concern re: this
>> approach is the need to deploy one or more DCs for each
>> domain in each region or the risk of users encountering
>> authentication problems when traveling between
regions.
>> Is there some way we can design our AD environment such
>> that all DCs share a local copy of a forest-wide
>> authentication db (??) and users authenticate to the
>> closest DC in the forest, regardless of the domain in
>> which it resides? Any suggestions would be much
>> appreciated.
>>
>Hello Ed,
>
>I'd suggest reading a good AD Book or visit the MOC-
Course for
>designing Active Directory. Or read the Ressource Kit or
Deployment
>Kits online. There are not that many reasons why you need
multiple
>domains, and resource management is not one of them
(usually, there may
>be exceptions). You are able to split resource management
by using OUs
>in the Active Directory.
>
>Common Reasons for splitting up into multiple Domains are
usually:
>- Different Account Policies, like Password Complexity
>- Different Security Boundaries (somewhat)
>- Partitioning of AD DB-Size
>
>BTW - the ressource kits are online available at
>www.reskit.com
>
>Gruesse - Sincerely,
>
>Ulf B. Simon-Weidner
>.
>
- Next message: Dmitry Korolyov [MVP]: "Re: domain log in thinks it is local log in?"
- Previous message: Jimmy Andersson [MVP]: "Re: DC not demoted and removed out of AD"
- In reply to: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Next in thread: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Reply: Ulf B. Simon-Weidner [MVP]: "Re: How to setup authentication across domains within a forest?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
