Re: Child Domain
- From: jwd <jwd@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Jul 2007 01:26:00 -0700
Users from win.example.com will be able to access resources in example.com
using a trust.
The schemas of the two forests are completely separate. Changes in one will
not replicate to the other. In DNS win.example.com is a child domain of
example.com but in your AD it is not.
I wouldn't 'pound away' at the schema in win.example.com though as if you
break it all your users will be lost. This wouldn't effect your core
services but you would have to recreate all your users and reasign all
permissions to resources in example.com as the users SIDs would be different.
This would be a huge job.
For the mailboxes you wouldn't need to the extend the schema in
win.example.com as it contains no Exchange organisation. You can only create
mailboxes in the same forest as the Exchange organisation. So you could need
to create a placeholder account in the example.com for each user in
win.example.com. This is a disabled mailbox enabled account. For each
disabled account you would assign Send As, Full Mailbox Access and External
Associated Account rights to the corresponding user in win.example.com.
Best Regards
Joe Dunn MCSE
"germanshorthairpointer@xxxxxxxxx" wrote:
Ok, I just want to toss out some assumptions I have at this point, so.
please feel free to comment on them.
First, instead of creating a child domain, we can keep the domains
separate in a forest. Once we create a trust between the forests,
win.example.com users can access core services in example.com.
Secondly, by keeping the domains separate, we have two separate
schemas. We can pound away and modify the win.example.com schema as
needed, and if it blows up, the example.com domain is still functional
and serving up http and smtp to the outside world. Since a child
domain shares a common schema, would corrupting the schema in
win.example.com replicate to example.com?
Finally, and our main concern at the moment, we would like to map the
jdoe@xxxxxxxxxxx mailbox to the user 233344@xxxxxxxxxxxxxxxx In a
forest trust, is this possible? I think so, but thus far, the
win.example.com domain does not contain exchange attributes. I think
I need to run domainprep and forestprep.
Did I totally slaughter this? Any comments?
On Jul 11, 11:00 am, jwd <j...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You cannot move a domain from one forest to another. To achieve what you
are after you need to create a new child domain and then migrate users,
computers etc into this domain.
You say you currently have one forest for core services and one for students
and other users. Apart from the extra administrative overhead of running two
forests this is not a particularly bad setup for your type of environment
from a security point of view. Having a seperate forests for your
mischievous students and your core services gives you an extra layer of
security.
Best Regards
Joe Dunn MCSE
"germanshorthairpoin...@xxxxxxxxx" wrote:
Hello,
At our organization, we have the domains, example.com and
win.example.com. It looks like win.example.com was setup as a Domain
in a new forest. Is it possible to make win.example.com a child
domain of example.com?
More specifically, example.com was our initial domain for
administration. Eventually, we created win.example.com for students.
Users were scripted from our SIS and ERP systems into AD. Because it
is working well, we are adding faculty and staff into
win.example.com. We will use win.example.com for all users,
computers, etc, and use example.com as our core domain for servers
etc.
Thanks for your help!
Grant
- Follow-Ups:
- Re: Child Domain
- From: germanshorthairpointer@xxxxxxxxx
- Re: Child Domain
- References:
- Child Domain
- From: germanshorthairpointer@xxxxxxxxx
- Re: Child Domain
- From: germanshorthairpointer@xxxxxxxxx
- Child Domain
- Prev by Date: Re: domain backup
- Next by Date: Re: Advice on AD/DNS domain names
- Previous by thread: Re: Child Domain
- Next by thread: Re: Child Domain
- Index(es):
Relevant Pages
|
Loading
