Re: Huge AD deployment
From: Phillip Renouf (PhillipRenouf_at_discussions.microsoft.com)
Date: 08/31/04
- Next message: Mark Mynsted: "Active Directory Extended Attributes"
- Previous message: Steven L Umbach: "Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 31 Aug 2004 11:09:04 -0700
That was the case in Windows 2000, but in Windows Server 2003 forest trusts
are two way transitive trusts. Since Tom indicated that their environment is
all Windows 2003 the forest trusts should be transitive. The one thing to
note though is that a forest trust is only transitive for domains within the
two forests in the trust, you'll need to setup a forest trust between every
forest if you want a complete trust scenario.
Personally I would recommend setting up an Enterprise forest and start
migrating your other forests into it. This will take a long time, but better
to get it started now than wait for some other hard requirement to come up.
You can delegate control over each areas local resources to their
administrators so they won't loose functionality. I've worked in a migration
scenario for a very large company that included migrating sub companies into
their parent companies Enterprise AD. It's possible to work with the
political changes and still get people the access that they need.
If this is all driven by wanting everyone to use company.com as their email
domain you don't need trusts to establish that. You can setup routing to
route email for company.co.uk users that was sent to ukuser1@company.com to
their company.co.uk account. It may be easier to put a seperate SMTP gateway
in front of exchange to help make this easier.
Phil
"Steve Bruce, mct" wrote:
> Trusts between forests only create a trust between the two specific domains
> where you create the trust. The trust does not pass down to subdomains in
> either forest or from forest to forest. They are non-transitive one
> directional trusts . . just like NT4.
>
> Internal DNS services would have to be distributed with convention zone
> transfers from Forest to Forest, because there is no Active Directoryu
> replication between forest.
>
> All of this could be done with good planning
>
> "Tom" <tom@orange.us> wrote in message
> news:u4iQ2ttjEHA.3876@TK2MSFTNGP15.phx.gbl...
> > Hi, I was wondering about the following scenario:
> >
> > I work for a huge company in many countries, each country is run as a
> > separate company. Now we want to start unifying things. We all have top
> > level forests, like company.us, company.co.uk. company.fr, etc. We all
> > run
> > exchange as well. Everything's AD 2003 and exchange 2003. We all want to
> > keep local control over our respective domains. We also have internal
> > network connectivity across the countries in a star topology, not mesh.
> > Well I think it's star because we all terminate in the same data center.
> >
> > We're looking to unite the exchange servers, have a global address list
> > and
> > distribution lists, and provide network applications across the entire
> > company with AD authentication.
> >
> > Because of the star topology, could we put a new top level forest called
> > company.com in that data center and have every country trust company.com
> > and
> > have access to each country. Or does each country need to trust each
> > other
> > country individually? We'll be running MIIS as well I think. One reason
> > for company.com AD is because we want unified email, so instead of sending
> > mail to me @company.us you could sent it @company.com. Does this make any
> > sense?
> >
> > Anyway, what's a good starting point? I am assuming that getting the AD
> > trusts down is a good first because in entails that the internal network
> > routing between the countries is functional and thus internal DNS
> > replication is operational, and internal DNS gives us email routing
> > internally, instead of going over the internet.
> >
> > So if trusts and MIIS give us what we need, I guess I'm asking for more
> > details about the types of trusts. The documentation I have read is
> > unclear
> > to me, and because what I'm doing is unusual due to the size of my
> > company.
> >
> > I think that Microsoft has one big microsoft.com AD domain and it might be
> > broken up in to subdomains by location. For instance,
> > england.microsoft.com
> > might handle all of england. But that domain was created as a child
> > domain
> > of Microsoft.com. That isn't possible for my company to do, we already
> > have
> > existing domains.
> >
> > Any input would be greatly appreciated,
> > thanks,
> > -tom
> >
> > BTW, I came up with an interesting internal IP address scheme, we'll use
> > the
> > 10.x.x.x space and the second octet is the country calling number. So the
> > US is 10.1.x.x and France is 10.33.x.x, England is 10.44.x.x. Yes, I know
> > there are a few countries that have calling numbers that are above 254,
> > we'll just assign them something not used, like 2. And yes, I know Canada
> > uses 1 as well.
> >
> >
>
>
>
- Next message: Mark Mynsted: "Active Directory Extended Attributes"
- Previous message: Steven L Umbach: "Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
