Re: AD Consolidation Question

although 90 trusts is a pain to manage, imagine 725,760.... the guy would
still be creating trusts today! ;-)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23fQQC%23JaHHA.2320@xxxxxxxxxxxxxxxxxxxxxxx

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23T48mxHaHHA.348@xxxxxxxxxxxxxxxxxxxxxxx
not really correct....

You are correct -- can't believe that I multiplied instead of adding.

If it a form of "double-fibonacci" series, not a factorial.

10 forests all trusting each other = N*(N-1) = 10*(10-1)=90 trusts

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:up%23V$9UYHHA.588@xxxxxxxxxxxxxxxxxxxxxxx

"Tim" <donotemail> wrote in message
news:OU4cGsTYHHA.2320@xxxxxxxxxxxxxxxxxxxxxxx
My organization currently has ~10 forests, each holding a single
domain. Each forest represents a seperate location across the US and
there are trusts between all forests.

You can't really mean there are 9x8x7x6x5x4x3x2x2 == 725,760 trusts?

(The 10th domain would have 2[way] trusts with the other 9, then 9th
with
the other 8 etc.)

We are looking to consolidate to a single forest / single domain Active
Directory infrastructure, but also add another site that will also need
to hold a DC to the new forest / domain

The last is trivial. Just add the Site, Subnet(s), Sitelink, and either
install
the DC there or move it their (both physically and in Sites and
Services.)

- but
replicate over a dedicated link to the internet vs. a P2P WAN link.

Is it best to stick with the single forest / single domain concept for
this new site?

Technically we cannot know from the info given but the odds are immense
that this should be your plan.

Am I wrong in thinking that encapsalating active directory over IPsec
(ESP) would work in this scenario?

Some type of VPN, whether it is an L2TP/IPSec or a raw IPSec tunnel
(router to router) would likely be best.

We do have a PKI and I have read the articles per AD networks segmented
by firewalls and replication over firewalls, but am seeking clarity for
this unique site.

If you use a VPN and don't filter on those VPN interfaces the info on
replicating
over a "firewall" won't be needed. That info is for when you must
penetrate
the filters in the firewall but a VPN can allow you to protect from all
outside
interference while choosing NOT to filter between the locations.

Any help is appreciated.

You will also want to use ADMT to migrate those other domain/forests to
the
current one if you are going to consolidate.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)







.

Relevant Pages

  • Re: AD Consolidation Question
    ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Consolidation Question
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Each forest represents a seperate location across the US and there are ... by firewalls and replication over firewalls, ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Consolidation Question
    ... Each forest represents a seperate location across the US and there are ... trusts between all forests. ... firewalls and replication over firewalls, but am seeking clarity for this ... If you use a VPN and don't filter on those VPN interfaces the info on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to access files/folders after password changes
    ... Creating trusts allows you to assign permissions in the trusting domain to ... You mention Windows VPN, and say "Once they connect via VPN ... permissions as the account they used to authenticate when the VPN connection ... a duplicate account on domain 2 to allow VPN access. ...
    (microsoft.public.win2000.active_directory)
  • Re: 2003 AD upgrade and consolidation
    ... Right now they don't share resources across companies. ... GPOs are NOT inherited by child domains, ... That's resource sharing and trusts too. ... Create the new forest domain. ...
    (microsoft.public.windows.server.active_directory)
Loading