Re: isolating a subdomain in AD

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Yeah, but you could mae a seperate forest and only allow those users you
want into it and leave all the users still defined on the original forest,
which would give them access to Exchange.

this would only be an issue if you moved the users to the new forest, that
is one option but you don't have to move them. Just give yourself the
access in the new resource forest along with those users that need access.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

"John Czahor" <JohnCzahor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:59085049-E634-41D6-94B7-BDCD446CD229@xxxxxxxxxxxxxxxx
> Exchange might be the killer because the users might not want to use OWA.
> Should I post that question on the exchange board?
>
> "Paul Bergson" wrote:
>
>> If you setup a trust the new forest would probably be the trusted and the
>> old would be the trusting (A 1 way trust). This would give you the
>> ability
>> to provide you full rights into the old forest but you wouldn't have to
>> provide anybody any rights into your forest. It could be a seperate
>> forest
>> that was for resources only and you could setup the users you wanted to
>> get
>> into this forest as well. The second option may be more of what you are
>> looking for.
>>
>> I'm not 100% sure on how exchange would work in this scenario but... you
>> could use owa and everything would work just fine.
>>
>> --
>>
>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "John Czahor" <JohnCzahor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:981899F2-3E6B-41F8-B62D-E3DC0722A8F2@xxxxxxxxxxxxxxxx
>> > What about removing Enterprise, Domain, Schema admin groups from the
>> > Server
>> > itself and only giving access to those users who need access? What
>> > about a
>> > firewall in between with ports open only to the DCs? If I went to
>> > seperate
>> > forest, how would I get to the exchange server that is in the main
>> > forest?
>> > would the trust take care of that
>>
>>
>>


.

Relevant Pages

  • Migration between two forests
    ... I currently have two active directory forests, each seperate and distinct. ... One runs solely to server an exchange 2000 server, ... exchange 2000 server to the new 2003 domain in the new forest. ...
    (microsoft.public.exchange.setup)
  • Re: adc worked great ex 2003 intall failed?
    ... An Account from the Windows Forest where you are installing Exchange 2003. ... Exchange 5.5 Local Machine Administrator Rights ...
    (microsoft.public.exchange.setup)
  • Re: Questions regaring Exchange and multiple forests
    ... We are trying to find out if it is possible to keep the two sites seperate ... isolated control over their accounts. ... suggest a different forest and they use their own Exchange. ...
    (microsoft.public.exchange.design)
  • Re: Adding Second Domain - More In Depth
    ... You will need to implement a cross-Forest topology for your Exchange Org. ... Disabled user accounts are created for users from the other AD Forest in your Forest. ... We've added a second business entity, keeping things mostly seperate. ...
    (microsoft.public.exchange.admin)
  • Re: Delegation of rights in Active Directory for Exchange 2003
    ... You see currently our Exchange Admin who has full Exchange rights cannot ... The environment consists of a forest with multiple child domains and the ... Exchange 2003 servers will be located in one of the child domains in this ...
    (microsoft.public.exchange.admin)