RE: Windows Server 2003 Servicing Multiple AD Domains

Tech-Archive recommends: Fix windows errors by optimizing your registry

Mike:

> Is there any performance or access issues having users connecting across
> Domains via transitive trusts to a common shared Windows 2003 File & Print
> Storage Server for Home Directories and other shares?
If the trust is setup properly, there should not be any (many?!) access
issues. Performance will also depend on the hardware you are using. Since
the servers are part of the same forest, once access is defined, I see little
problem with it (user access). Again, I want to emphasize using the right
groups (global or domain) across domains is key to reducing access issues.

> How can we address the Departments “security” concerns if we maintain the
> Common Child Domain and deploy a shared Windows 2003 File & Print Storage
> Server?
You can accomplish this in several ways. Not knowing what the concerns are,
specifically, you can either create separate data partitions and 'control
access' them or create a nested file structure with organized ACL's at the
top (limiting domain level access) or by emphasizing security dissemination
using security groups. Through it all, you can audit it as granularly as
needed to have a log of access to alleviate concerns. It would all depend on
how much security and work you want to build in and what kind of
administrative overhead you can shoulder.

Hope that helps.

-Allen Firouz

"Mike Pomerleau" wrote:

> Allen, we have already deployed one of the Microsoft Best Practice AD Designs
> - Single, Global Child Domain
>
> Can you please answer my two questions:
>
> Is there any performance or access issues having users connecting across
> Domains via transitive trusts to a common shared Windows 2003 File & Print
> Storage Server for Home Directories and other shares?
>
> How can we address the Departments “security” concerns if we maintain the
> Common Child Domain and deploy a shared Windows 2003 File & Print Storage
> Server?
>
> Thanks
>
> "Allen Firouz" wrote:
>
> > Mike:
> >
> > Changing your topology to add separate domains is not a huge performance
> > issue, given the proper planning and bandwidth considerations. When security
> > is an issue, a design that you may want to consider it to create a "resource
> > domain" which will house your Exchange and/or other file and application
> > servers. This model increases security for the entire forest, albeit by
> > increasing your administration overhead as well. I would strongly recommend
> > re-visiting your security group design as well, since managing SG's in a
> > multi-domain environment is different from single domain model. Review the
> > SG nesting and ensure that groups are set up with proper local, domain and
> > global groups.
> >
> > You may want to use these link for good info and gotcha's for the design:
> > http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#EHAA
> > AD Domain design alternatives:
> > http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/w2kdomar.mspx
> >
> > -Allen Firouz
> >
> > "Mike Pomerleau" wrote:
> >
> > > I have a new Windows 2003 Active Directory with an empty Root Domain and a
> > > Common Child Domain containing 15,000 user and computer accounts from 5
> > > separate departments in an OU structure. There are 5,000 users and computers
> > > at HQ and about 2,000 users and computers ateach of the 5 regional office
> > > areas all connected by 10 MB ATM. There is one common Exchange Organization
> > > servicing all the users. We are planning on setting up a shared Windows 2003
> > > File & Print Storage Server at the principal office in each region as well as
> > > HQ.
> > >
> > > We have been getting pressure from each of the 5 Departments to move them
> > > into their own Child Domain for increased “security” (i.e. meet HIPA
> > > concerns) and allow them to deploy their own separate non-shared Windows 2003
> > > Server. All 5 departments are spread across HQ and the 5 regions.
> > >
> > > Is there any performance or access issues having users connecting across
> > > Domains via transitive trusts to a common shared Windows 2003 File & Print
> > > Storage Server for Home Directories and other shares?
> > >
> > > How can we address the Departments “security” concerns if we maintain the
> > > Common Child Domain and deploy a shared Windows 2003 File & Print Storage
> > > Server?
> > >
.

Relevant Pages

  • Slowly Terminal Server response
    ... We have a Terminal Services server ... the server (the users response) has been running extremely ... We have about 20 users connecting to this server via a VPN connection ... why the application would grab 100% of the CPU. ...
    (microsoft.public.windows.terminal_services)
  • 2008R2 Standard remote access
    ... Standard edition? ... What kind of protection do I need on the server that they ... edition limited to the number of users connecting. ... (I normally purchase licensing by ...
    (microsoft.public.windows.server.setup)
  • Office XP on Terminal Server 2003
    ... I hae a Windows Server 2003 box set up for Terminal ... It is working just fine for the users connecting ... to work with a shared accounting program and Adobe ... The user can start Excel on it's own just fine however ...
    (microsoft.public.windows.server.general)
  • Re: Changing to terminal server
    ... everything is running under one server: 10 users connecting ... squl, exchange server, office apps, internet. ... >>> are SqL database, quickbooks, microsoft office, internet, etc. ...
    (microsoft.public.windows.server.sbs)