Re: AD Consolidation Question


"Tim" <donotemail> wrote in message
news:OU4cGsTYHHA.2320@xxxxxxxxxxxxxxxxxxxxxxx
My organization currently has ~10 forests, each holding a single domain.
Each forest represents a seperate location across the US and there are
trusts between all forests.

You can't really mean there are 9x8x7x6x5x4x3x2x2 == 725,760 trusts?

(The 10th domain would have 2[way] trusts with the other 9, then 9th with
the other 8 etc.)

We are looking to consolidate to a single forest / single domain Active
Directory infrastructure, but also add another site that will also need to
hold a DC to the new forest / domain

The last is trivial. Just add the Site, Subnet(s), Sitelink, and either
install
the DC there or move it their (both physically and in Sites and Services.)

- but
replicate over a dedicated link to the internet vs. a P2P WAN link.

Is it best to stick with the single forest / single domain concept for
this new site?

Technically we cannot know from the info given but the odds are immense
that this should be your plan.

Am I wrong in thinking that encapsalating active directory over IPsec
(ESP) would work in this scenario?

Some type of VPN, whether it is an L2TP/IPSec or a raw IPSec tunnel
(router to router) would likely be best.

We do have a PKI and I have read the articles per AD networks segmented by
firewalls and replication over firewalls, but am seeking clarity for this
unique site.

If you use a VPN and don't filter on those VPN interfaces the info on
replicating
over a "firewall" won't be needed. That info is for when you must penetrate
the filters in the firewall but a VPN can allow you to protect from all
outside
interference while choosing NOT to filter between the locations.

Any help is appreciated.

You will also want to use ADMT to migrate those other domain/forests to the
current one if you are going to consolidate.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


.

Relevant Pages

  • Re: AD Consolidation Question
    ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Consolidation Question
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Consolidation Question
    ... although 90 trusts is a pain to manage, imagine 725,760.... ... to hold a DC to the new forest / domain ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2003 AD upgrade and consolidation
    ... Right now they don't share resources across companies. ... GPOs are NOT inherited by child domains, ... That's resource sharing and trusts too. ... Create the new forest domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Forest Trusts- roaming Laptops
    ... No trusts setup, no forest, just independent ... Senior HQ executives travel to sites with their laptops. ...
    (microsoft.public.windows.server.general)
Loading