Re: Huge AD deployment
From: Steve Bruce, mct (swb_mct_at_msn.com)
Date: 08/30/04
- Next message: Steve Bruce, mct: "Re: Replace Domain Controller"
- Previous message: bear: "Prohibit share login username"
- In reply to: Tom: "Huge AD deployment"
- Next in thread: Al Mulnick: "Re: Huge AD deployment"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 30 Aug 2004 18:31:08 -0500
Trusts between forests only create a trust between the two specific domains
where you create the trust. The trust does not pass down to subdomains in
either forest or from forest to forest. They are non-transitive one
directional trusts . . just like NT4.
Internal DNS services would have to be distributed with convention zone
transfers from Forest to Forest, because there is no Active Directoryu
replication between forest.
All of this could be done with good planning
"Tom" <tom@orange.us> wrote in message
news:u4iQ2ttjEHA.3876@TK2MSFTNGP15.phx.gbl...
> Hi, I was wondering about the following scenario:
>
> I work for a huge company in many countries, each country is run as a
> separate company. Now we want to start unifying things. We all have top
> level forests, like company.us, company.co.uk. company.fr, etc. We all
> run
> exchange as well. Everything's AD 2003 and exchange 2003. We all want to
> keep local control over our respective domains. We also have internal
> network connectivity across the countries in a star topology, not mesh.
> Well I think it's star because we all terminate in the same data center.
>
> We're looking to unite the exchange servers, have a global address list
> and
> distribution lists, and provide network applications across the entire
> company with AD authentication.
>
> Because of the star topology, could we put a new top level forest called
> company.com in that data center and have every country trust company.com
> and
> have access to each country. Or does each country need to trust each
> other
> country individually? We'll be running MIIS as well I think. One reason
> for company.com AD is because we want unified email, so instead of sending
> mail to me @company.us you could sent it @company.com. Does this make any
> sense?
>
> Anyway, what's a good starting point? I am assuming that getting the AD
> trusts down is a good first because in entails that the internal network
> routing between the countries is functional and thus internal DNS
> replication is operational, and internal DNS gives us email routing
> internally, instead of going over the internet.
>
> So if trusts and MIIS give us what we need, I guess I'm asking for more
> details about the types of trusts. The documentation I have read is
> unclear
> to me, and because what I'm doing is unusual due to the size of my
> company.
>
> I think that Microsoft has one big microsoft.com AD domain and it might be
> broken up in to subdomains by location. For instance,
> england.microsoft.com
> might handle all of england. But that domain was created as a child
> domain
> of Microsoft.com. That isn't possible for my company to do, we already
> have
> existing domains.
>
> Any input would be greatly appreciated,
> thanks,
> -tom
>
> BTW, I came up with an interesting internal IP address scheme, we'll use
> the
> 10.x.x.x space and the second octet is the country calling number. So the
> US is 10.1.x.x and France is 10.33.x.x, England is 10.44.x.x. Yes, I know
> there are a few countries that have calling numbers that are above 254,
> we'll just assign them something not used, like 2. And yes, I know Canada
> uses 1 as well.
>
>
- Next message: Steve Bruce, mct: "Re: Replace Domain Controller"
- Previous message: bear: "Prohibit share login username"
- In reply to: Tom: "Huge AD deployment"
- Next in thread: Al Mulnick: "Re: Huge AD deployment"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
