Re: To trust or not to trust???
- From: "Austin Osuide" <austin@xxxxxxxxxxx>
- Date: Thu, 22 Nov 2007 14:50:11 -0000
Hi Jmos,
Clearly, you'd want to maintain your structured processes until you can get the other IS manager to understand why you do things the way you do.
If your users require access to resources in the other forest, set up the forest trust.
If and when their Forest has been aligned with yours you can then migrate either into your own domain or, if policies allow, into a single domain.
You can use your regulatory requirements to insist on them have a tighter delegation model if you want.
Main thing is, once the politics is sorted and all parties have a unified view of where you want to go and why, the AD design is pretty straight forward and follows on from the corporate objectives.
Regards,
Austin
"jmos" <jmos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:CB823443-9DFF-46CE-A805-83C4B0D91A2B@xxxxxxxxxxxxxxxx
Hi Austin,
Firstly many thanks for the reply.
There is a 'human trust' issue but I think that that is normal in any
merger. Two IS managers , each trying to sus the other out! However, getting
beyond that, as we are currently two distinct entites with different methods
of working and as of yet we do not know what the ultimate network design
should be then do you think setting AD trusts a 'sfaer' option whilst
business parcatices align.
To complicate matters a little both sites will be merging into one.
Ultimately we will be moving to their location and with their planned
infrastructure changes I don't want to place all our eggs in the one baskett
as we do not know what interruptions to service might be.
Your thoughts are greatly appreciated.
"Austin Osuide" wrote:
Hi Jmos,
The underlying issue is one of trust. Not AD trusts mind :-)
Do you trust the way the partner forest is managed? Looks like, from what
I'm reading, they don't exactly trust you and want to delegate an OU in
their forest for you to manage your resources in.
I would have thought, if you had WS03 domains, that a forest trust would
have been easier to setup/manage than a migration of your resources into an
OU in their forest.
Also, if you do do the migration to an OU in the partner forest, why should
the migrated Admins be domain Admins? No need really. They can have
delegated responsibilities at the OU level.
There are no hard and fast technical reasons that determine which way you
should go wrt their forest or yours.
The political decision IMHO should be sorted out then the technical solution
will follow.
Regards,
Austin
"jmos" <jmos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE504811-A103-43AA-8823-0D617B20D982@xxxxxxxxxxxxxxxx
> We currently have two companies which need to merge but a difference of
> opinion and I could do with another view.
>
> As a standard practice I want to setup a trust between both forests so
> that
> resources can be easily accessed from each other domain without too > much
> issue. This buys the IT depts from both sites time to align AD's over a > 9
> month period.
>
> However, their IT dept don't want to do that as 'it's too much work' > and
> 'more complicated'. Thus their suggestion is that they send us a DC
> configured in their domain and we migrate our AD into a subset OU of
> theirs.
>
> Obviously block inheritance would be a must and both sets of Admins > would
> have to have access at Domain Level.
>
> I'm not convinvced and want a more stable and stage approach to the > merger
> of the two entities.
>
> Can anyone offer andy help or advice on this issue?
>
> Many Thanks
>
> JMOS
.
- References:
- Re: To trust or not to trust???
- From: Austin Osuide
- Re: To trust or not to trust???
- From: jmos
- Re: To trust or not to trust???
- Prev by Date: Re: Duplicate SPN - but unsure how to fix!
- Next by Date: Re: User privilege caching in Active Directory?
- Previous by thread: Re: To trust or not to trust???
- Next by thread: Re: To trust or not to trust???
- Index(es):
Relevant Pages
|
