Re: issue with Child and Parent Domains

From: "ptwilliams" <ptw2001@xxxxxxxxxxx>
Date: Mon, 18 Apr 2005 18:26:52 +0100

> Yes I am having some difficulty understanding this issue. So basically you
> are telling me that objets are not replicated from parent to child just
> connections and domain memebership info?

Domain objects are not replicated between different domains.

In AD there are partitions or naming contexts. In a single-domain forest
there are three: schema, configuration and domain. For each new domain in
the forest, there is another domain partition. Any DC will only ever hold
the two enterprise partitions and its domain partition (excluding 2003
whereby there's a fourth type of partition).

The domain, which consists of users, computers, groups, etc. is specific to
that domain only.

> Should the child be GC also? This is within the same forest.

There isn't an actual need for this. Although I always recommend all DCs as
GCs in small environments. There should be at least one GC per site. GCs
are a forest-wide role, and are not domain specific. If you have two
domains in one site, you don't have to have a GC on a DC from both domains.

> Also, I am not sure I am being clear about the resources of a parent. In
> this scenario, the lab wants users, who are part of the AD of parent
> domain to logon (as the sole purpose of the child domain) thru the child
> domain, but essentially authentication should occur on the parent because
> these users do not exist on the child. Now, I am telling them that I do
> not think this is possible without creating the Domain local group (on
> child domain, not sure?) and assigning those users from parent to that
> domain local group.

I don't follow you. If you have your user accounts in the domain PARENT and
you have a child domain CHILD, and you wish to logon to the PARENT domain
using computers that are members of the CHILD domain this is fine -you just
choose the PARENT domain from the domain: drop-down list at the Winlogon
screen (Ctrl+Alt+Del). You cannot logon to CHILD with an account from
PARENT or vice versa. You require an account in CHILD to logon to CHILD.

> If this can work, how do objects that are created or modified in parent
> get updated into child? Does this have to be done manually, for example if
> a new user is created in parent that user must added to the domain local
> group of child everytime?

Objects created in the parent domain don't get updated on the child, unless
they are forest-wide objects such as sites, which are stored in the
Configuration container, for example.

You don't need to create accounts in both domains surely??

But if you do (I don't know why) you can synchronise them with IIFP.

> I preferred to have an additional DC and delegate the OU to the groups
> (which would have essentially been the Child domain administrator). Is it
> possible to give only read permissions of accounts to this group (CD
> admins) and allow thier client machines to logon to thier DC?

There's still a pretty big misunderstanding here. I suggest that you read
up on AD (www.microsoft.com/ad).

Yes, you can delagate to groups so that these groups have control over
OUs -but there's no reason for different domains. You should have as few
domains as possible.

You delagate either through the delegation of control wizard, or by manually
setting the permissions on objects through the security tab of an objects
properties (view\ advanced features to be able to see the security tab).

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

Follow-Ups:
- Re: issue with Child and Parent Domains
  - From: Altria
- Re: issue with Child and Parent Domains
  - From: Altria

References:
- issue with Child and Parent Domains
  - From: Altria
- RE: issue with Child and Parent Domains
  - From: ptwilliams
- Re: issue with Child and Parent Domains
  - From: Altria

Prev by Date: Re: 2003 Member Server - Netlogon service fails then eventually starts during boot
Next by Date: RE: Restrict users access to specific machines using GPO
Previous by thread: Re: issue with Child and Parent Domains
Next by thread: Re: issue with Child and Parent Domains
Index(es):
- Date
- Thread

Relevant Pages

Unix Programming FAQ (v1.37)
... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
(comp.unix.programmer)
Unix Programming FAQ (v1.37)
... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
(comp.unix.programmer)
Unix Programming FAQ (v1.37)
... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
(comp.unix.programmer)
Unix Programming FAQ (v1.37)
... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
(comp.unix.programmer)
Unix Programming FAQ (v1.37)
... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
(comp.unix.programmer)