Re: User autentification and access to "sister" domain resources
From: Pablo E. Colazurdo (rael_at_singularidad.com.ar)
Date: 01/04/05
- Next message: Jimmy: "Run different startup/shutdown script if not logon to AD"
- Previous message: Frances [MSFT]: "RE: Domains and Trusts"
- In reply to: Gera: "User autentification and access to "sister" domain resources"
- Next in thread: Gary Simmons: "Re: User autentification and access to "sister" domain resources"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 4 Jan 2005 10:22:32 -0000
About SUS yes you can autoapprove on child SUS servers and only approve the
paatches on the parent server so the child domain will only receive the list
of approved patches from the parent.
About your design why don't use same domain and different sites? (including
different OUs if you want to delegate administration)
In your actual design is if the link dies ... there is no way to validate
the users.
Hope it helps,
Pablo E. Colazurdo
"Gera" <Gera@discussions.microsoft.com> wrote in message
news:F697E35E-FFC1-46A9-BF00-574047728D98@microsoft.com...
> [this is a long AD design question, but please read until the end....]
>
> I am in process of designing brand new AD structure for our customer.
> A geographic placement is: 3 locations, let's say site A, site B and site
C,
> connected with 2 mbit links.
>
> I propose a design with root domain and three child domains all with
Windows
> 2003 Servers - pretty classic design (let's say, sites coincide with
domains).
> Every location (site) with 2 DCs for every child domain and one rootDC1 in
> siteA and another rootDC2 in siteB.
> All DCs are Global Catalogs.
>
> A customer has some traveling users (notebooks with DHCP in use probably),
> which should have possibility to login in any site and have access to
local
> (domain B) printers and files.
>
> Situation in question is:
> - group membership is by AGLP rule
> - user_from_domainA arrives in siteB
> - user_from_domainA gets IP address from siteB DHCP server
> - user_from_domainA is trying to make logon in his remote DC in siteA
while
> sitting in siteB
> - link to all DCs from domain A is suddenly broken, user_from_domainA PC
can
> log in using cached credentials
> - links to nearest rootDC and domainB DCs are ok
> - user_from_domainA still needs to print (or share files) to domainB
printers
> - user_from_domainA doesn't have any accounts in domainB
>
> What will happen in this situation? I can't test this setup right now, so
I
> am hoping for help from colleagues...
> Which DC is used in which moment? Is it enough to have domainB DC online
and
> valid cached credentials to traverse AGLP path?
>
> And customer doesn't want to place addtional DC in every site (doesn't
want
> to place domainA DC in site B)
> Is there the only solution to use one common domain spanning all 3
locations
> or
> use some siteB_guest account for access to domain B resources in this
> situation?
> Is it truly impossible to access "sister" domain resources while client's
> own DCs are inaccesible?
>
>
> Another smaller question about SUS in this setup: is it possible to
approve
> patches between server located in different domains?
> I mean, have main SUS server on a rootDC1 (root domain), subordinate SUS
> server on siteA_DC1 (child domain) and approve patches in this cross
domain
> way?
>
>
>
> Thanks for any suggestions,
>
> G.Simonson
> IS engineer, MCSE
- Next message: Jimmy: "Run different startup/shutdown script if not logon to AD"
- Previous message: Frances [MSFT]: "RE: Domains and Trusts"
- In reply to: Gera: "User autentification and access to "sister" domain resources"
- Next in thread: Gary Simmons: "Re: User autentification and access to "sister" domain resources"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
