Re: issue with Child and Parent Domains
- From: "Altria" <urbantec92@xxxxxxx>
- Date: Tue, 19 Apr 2005 12:02:33 -0400
Thanks Again Paul!!!!,
Do you have a document with this explicitly defined:
You cannot logon to CHILD with an account from
> PARENT or vice versa. You require an account in CHILD to logon to CHILD
You do mean logon from a client to a CD where that client account only
exists on PD and NOT logging onto the CD server itself? or BOTH?
This is exactly what the department is trying to do but I am was telling
them that it is not possible.
Is there such a thing as pass through authentication where users can logon
to CD, which are currently on the PD?
If not, how can you make GPO and other functions work on members who are
part of the CD. If i join a computer to the CD and just logon to parent will
that user still be part of CD. That is will GPO still be able to work?. If
so, I assume I have to designate the DNS entry on client to that of the CD
and not of the PD.
don't follow you. If you have your user accounts in the domain PARENT and
> you have a child domain CHILD, and you wish to logon to the PARENT domain
> using computers that are members of the CHILD domain this is fine -you
> just
> choose the PARENT domain from the domain: drop-down list at the Winlogon
> screen (Ctrl+Alt+Del
At this point you are saying that i do not need any groups, but how can you
assign folder permissions and other resources particular to the CD?
TIA,
Altria
"ptwilliams" <ptw2001@xxxxxxxxxxx> wrote in message
news:e1S37sDRFHA.1564@xxxxxxxxxxxxxxxxxxxxxxx
>> Yes I am having some difficulty understanding this issue. So basically
>> you
>> are telling me that objets are not replicated from parent to child just
>> connections and domain memebership info?
>
> Domain objects are not replicated between different domains.
>
> In AD there are partitions or naming contexts. In a single-domain forest
> there are three: schema, configuration and domain. For each new domain in
> the forest, there is another domain partition. Any DC will only ever hold
> the two enterprise partitions and its domain partition (excluding 2003
> whereby there's a fourth type of partition).
>
> The domain, which consists of users, computers, groups, etc. is specific
> to
> that domain only.
>
>
>> Should the child be GC also? This is within the same forest.
>
> There isn't an actual need for this. Although I always recommend all DCs
> as
> GCs in small environments. There should be at least one GC per site. GCs
> are a forest-wide role, and are not domain specific. If you have two
> domains in one site, you don't have to have a GC on a DC from both
> domains.
>
>
>> Also, I am not sure I am being clear about the resources of a parent. In
>> this scenario, the lab wants users, who are part of the AD of parent
>> domain to logon (as the sole purpose of the child domain) thru the child
>> domain, but essentially authentication should occur on the parent because
>> these users do not exist on the child. Now, I am telling them that I do
>> not think this is possible without creating the Domain local group (on
>> child domain, not sure?) and assigning those users from parent to that
>> domain local group.
>
> I don't follow you. If you have your user accounts in the domain PARENT
> and
> you have a child domain CHILD, and you wish to logon to the PARENT domain
> using computers that are members of the CHILD domain this is fine -you
> just
> choose the PARENT domain from the domain: drop-down list at the Winlogon
> screen (Ctrl+Alt+Del). You cannot logon to CHILD with an account from
> PARENT or vice versa. You require an account in CHILD to logon to CHILD.
>
>
>> If this can work, how do objects that are created or modified in parent
>> get updated into child? Does this have to be done manually, for example
>> if
>> a new user is created in parent that user must added to the domain local
>> group of child everytime?
>
> Objects created in the parent domain don't get updated on the child,
> unless
> they are forest-wide objects such as sites, which are stored in the
> Configuration container, for example.
>
> You don't need to create accounts in both domains surely??
>
> But if you do (I don't know why) you can synchronise them with IIFP.
>
>
>> I preferred to have an additional DC and delegate the OU to the groups
>> (which would have essentially been the Child domain administrator). Is it
>> possible to give only read permissions of accounts to this group (CD
>> admins) and allow thier client machines to logon to thier DC?
>
> There's still a pretty big misunderstanding here. I suggest that you read
> up on AD (www.microsoft.com/ad).
>
> Yes, you can delagate to groups so that these groups have control over
> OUs -but there's no reason for different domains. You should have as few
> domains as possible.
>
> You delagate either through the delegation of control wizard, or by
> manually
> setting the permissions on objects through the security tab of an objects
> properties (view\ advanced features to be able to see the security tab).
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>
.
- Follow-Ups:
- Re: issue with Child and Parent Domains
- From: ptwilliams
- Re: issue with Child and Parent Domains
- References:
- issue with Child and Parent Domains
- From: Altria
- RE: issue with Child and Parent Domains
- From: ptwilliams
- Re: issue with Child and Parent Domains
- From: Altria
- Re: issue with Child and Parent Domains
- From: ptwilliams
- issue with Child and Parent Domains
- Prev by Date: Re: uniqueness of objectGUID
- Next by Date: Re: issue with Child and Parent Domains
- Previous by thread: Re: issue with Child and Parent Domains
- Next by thread: Re: issue with Child and Parent Domains
- Index(es):
Relevant Pages
|
