Re: Child Domain

Joe,

Everything worked just as you said. Now I need to look at how the
users can log into OWA with the win.example.com account to access the
respective example.com. Any ideas?

Grant

On Jul 12, 4:26 am, jwd <j...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Users from win.example.com will be able to access resources in example.com
using a trust.

The schemas of the two forests are completely separate. Changes in one will
not replicate to the other. In DNS win.example.com is a child domain of
example.com but in your AD it is not.

I wouldn't 'pound away' at the schema in win.example.com though as if you
break it all your users will be lost. This wouldn't effect your core
services but you would have to recreate all your users and reasign all
permissions to resources in example.com as the users SIDs would be different.
This would be a huge job.

For the mailboxes you wouldn't need to the extend the schema in
win.example.com as it contains no Exchange organisation. You can only create
mailboxes in the same forest as the Exchange organisation. So you could need
to create a placeholder account in the example.com for each user in
win.example.com. This is a disabled mailbox enabled account. For each
disabled account you would assign Send As, Full Mailbox Access and External
Associated Account rights to the corresponding user in win.example.com.

Best Regards
Joe Dunn MCSE

"germanshorthairpoin...@xxxxxxxxx" wrote:
Ok, I just want to toss out some assumptions I have at this point, so
please feel free to comment on them.

First, instead of creating a child domain, we can keep the domains
separate in a forest. Once we create a trust between the forests,
win.example.com users can access core services in example.com.

Secondly, by keeping the domains separate, we have two separate
schemas. We can pound away and modify the win.example.com schema as
needed, and if it blows up, the example.com domain is still functional
and serving up http and smtp to the outside world. Since a child
domain shares a common schema, would corrupting the schema in
win.example.com replicate to example.com?

Finally, and our main concern at the moment, we would like to map the
j...@xxxxxxxxxxx mailbox to the user 233...@xxxxxxxxxxxxxxxx In a
forest trust, is this possible? I think so, but thus far, the
win.example.com domain does not contain exchange attributes. I think
I need to run domainprep and forestprep.

Did I totally slaughter this? Any comments?

On Jul 11, 11:00 am, jwd <j...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You cannot move a domain from one forest to another. To achieve what you
are after you need to create a new child domain and then migrate users,
computers etc into this domain.

You say you currently have one forest for core services and one for students
and other users. Apart from the extra administrative overhead of running two
forests this is not a particularly bad setup for your type of environment
from a security point of view. Having a seperate forests for your
mischievous students and your core services gives you an extra layer of
security.

Best Regards
Joe Dunn MCSE

"germanshorthairpoin...@xxxxxxxxx" wrote:
Hello,

At our organization, we have the domains, example.com and
win.example.com. It looks like win.example.com was setup as a Domain
in a new forest. Is it possible to make win.example.com a child
domain of example.com?

More specifically, example.com was our initial domain for
administration. Eventually, we created win.example.com for students.
Users were scripted from our SIS and ERP systems into AD. Because it
is working well, we are adding faculty and staff into
win.example.com. We will use win.example.com for all users,
computers, etc, and use example.com as our core domain for servers
etc.

Thanks for your help!

Grant


.

Relevant Pages

  • Re: SMS Across 2 Forests
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > - What kind of user account do I need to specify for the address account? ... > - I have an external forest two way trust between the two forests and the ... >>> to place a primary site to support machines in the other forests rather ...
    (microsoft.public.sms.setup)
  • Re: Trouble Extending Schema
    ... The SMS Server account has full control of the new system ... I've tried running the extend schema application from each of the domain ... Could you be more specific on how you are "manually" extending the AD ...
    (microsoft.public.sms.setup)
  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... Yeah he can try to ACL attribute definitions in the schema but who knows what that would break. ... will the inability of an account to see an attribute in the schema ... Is there a way to hide the existence of OUa and OUb from a specific account ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... Schema has Authenticated ... will the inability of an account to see an attribute in the ... Is there a way to hide the existence of OUa and OUb from a specific ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Schema
    ... "Herb Martin" wrote: ... account not all the fields are copied over to the new account. ... I have tried to edit the schema in Active Directory but with no luck; ...
    (microsoft.public.windows.server.active_directory)