|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Kenneth Keeley
Guest
|
 Posted: Mon May 15, 2006 5:18 am Post subject: Child Domain Setup Quiestion |
 |
|
Hi,
I have a scenario where I have a company that is devided into to seperate
parts. I need to create an Active Directory domain structure that will meet
our needs. We need to have the sturcture set up that one area is independant
of the other area in all aspects including Adminstration by IT Staff and yet
still be able to have an IT Super group that can administrate all parts of
the company and some other special users that will need access to both parts
of the company. I had two ideas on how I thought we could do this but I am
not sure of how to achive the result.
Option 1: Create a parent Domain (ie ourcompany.com), then create 2 child
Domains (ie parta.ourcompany.com and partb.ourcompany.com) each child domain
should be able to access the parent domain but not the other child domain.
The parent domain should be able to access the 2 child domains.
I think that this option is the better but am unsure of how to set it up.
Are the follow steps correct.
1. Install Windows Server on First Server.
2. Run "dcpromo" and create the ourcompany.com domain. Including DNS Server.
3. Install Windows Server on second server and join ourcompany.com as a
member server.
4. Run "dcpromo" on second server and create the parta.ourcompany.com
domain.
3. Install Windows Server on third server and join ourcompany.com as a
member server.
4. Run "dcpromo" on third server and create the partb.ourcompany.com domain.
5. Fine tune and remaining details.
Option 2: Create 2 Domains in the 1 forest and then setup some sort of trust
between the domains.
Thanks for any help provided.
Kenneth Keeley |
|
| Back to top |
|
 |
|
|
Vicky
Guest
|
| Posted: Mon May 15, 2006 7:07 am Post subject: RE: Child Domain Setup Quiestion |
|
|
ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain should have a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other domains.
And one most imp thing is that if this domain tree structure of yours would
be spanning over multiple IP Networks/Locations, than you need to create AD
sites & have replication configured .
"Kenneth Keeley" wrote:
| Quote: | Hi,
I have a scenario where I have a company that is devided into to seperate
parts. I need to create an Active Directory domain structure that will meet
our needs. We need to have the sturcture set up that one area is independant
of the other area in all aspects including Adminstration by IT Staff and yet
still be able to have an IT Super group that can administrate all parts of
the company and some other special users that will need access to both parts
of the company. I had two ideas on how I thought we could do this but I am
not sure of how to achive the result.
Option 1: Create a parent Domain (ie ourcompany.com), then create 2 child
Domains (ie parta.ourcompany.com and partb.ourcompany.com) each child domain
should be able to access the parent domain but not the other child domain.
The parent domain should be able to access the 2 child domains.
I think that this option is the better but am unsure of how to set it up.
Are the follow steps correct.
1. Install Windows Server on First Server.
2. Run "dcpromo" and create the ourcompany.com domain. Including DNS Server.
3. Install Windows Server on second server and join ourcompany.com as a
member server.
4. Run "dcpromo" on second server and create the parta.ourcompany.com
domain.
3. Install Windows Server on third server and join ourcompany.com as a
member server.
4. Run "dcpromo" on third server and create the partb.ourcompany.com domain.
5. Fine tune and remaining details.
Option 2: Create 2 Domains in the 1 forest and then setup some sort of trust
between the domains.
Thanks for any help provided.
Kenneth Keeley
|
|
|
| Back to top |
|
|
Kenneth Keeley
Guest
|
| Posted: Mon May 15, 2006 10:00 am Post subject: Re: Child Domain Setup Quiestion |
|
|
thank you for getting back to me.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@microsoft.com...
| Quote: | ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain should have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other
domains. |
What type of trust will be automatically created?
Will the default Domain Administrators for each of the domain be able to
access/administrate all of the domains or only the ones that I want them to
be able to access. If they can access/administrate all domains what is the
best way to stop them.
| Quote: | And one most imp thing is that if this domain tree structure of yours
would
be spanning over multiple IP Networks/Locations, than you need to create
AD
sites & have replication configured .
|
Thanks for your help.
Kenneth Keeley |
|
| Back to top |
|
|
Vicky
Guest
|
| Posted: Mon May 15, 2006 10:52 am Post subject: Re: Child Domain Setup Quiestion |
|
|
The trust created is Bidirection, Implecit, Transitive trust between domains
in the same tree.
There are three levels of Administration in a windows 2003 based
Forest/domain.
1] Enterprise Admin - have admin previlages to all the domains in the forest.
2] Domain Admin - have admin prvilages to a specific domain
3] Administrator - have admin previlage to sepcific system (local admin)
By default the domain admin of the first domain in the forest also assumes
the forest admin previlages.
The domain admin of the child domain have admin previlages to the child
domain only & not to any other domain.
Now two things to remember. The difference between trust reletionship &
resoiurce access permission is like the difference between having a Passport
& having a visa.
The passport is the trust & the visa is the permission.
Thoug you may have a passport (ie trust) but dont have a visa (no access
permission) then you cannot access resource in other domain.
"Kenneth Keeley" wrote:
| Quote: | thank you for getting back to me.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@microsoft.com...
ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain should have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other
domains.
What type of trust will be automatically created?
Will the default Domain Administrators for each of the domain be able to
access/administrate all of the domains or only the ones that I want them to
be able to access. If they can access/administrate all domains what is the
best way to stop them.
And one most imp thing is that if this domain tree structure of yours
would
be spanning over multiple IP Networks/Locations, than you need to create
AD
sites & have replication configured .
Thanks for your help.
Kenneth Keeley
|
|
|
| Back to top |
|
|
Tan Lee Yew
Guest
|
| Posted: Wed May 17, 2006 10:21 am Post subject: Re: Child Domain Setup Quiestion |
|
|
I've a Windows 2000 domain controller and recently, i've configured a child
domain (windows server 2003) to point to the Windows 2000 domain controller.
Now I have a problem.
All the windows 2k pro clients cannot access the child domain(win2k3). It
pops up the message : 'Logon Failure: Account currently disabled'. The
strange thing is, all the WinXP Pro can access to it.
What should i do to enable all accounts to access the child domain? I've
tried adding the Win2k domain users groups to the Win2k3 child domain, but
not working. Please help.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:C5DAF9C6-0546-415C-BF7A-4B0A05A76C71@microsoft.com...
| Quote: | The trust created is Bidirection, Implecit, Transitive trust between
domains
in the same tree.
There are three levels of Administration in a windows 2003 based
Forest/domain.
1] Enterprise Admin - have admin previlages to all the domains in the
forest.
2] Domain Admin - have admin prvilages to a specific domain
3] Administrator - have admin previlage to sepcific system (local admin)
By default the domain admin of the first domain in the forest also assumes
the forest admin previlages.
The domain admin of the child domain have admin previlages to the child
domain only & not to any other domain.
Now two things to remember. The difference between trust reletionship &
resoiurce access permission is like the difference between having a
Passport
& having a visa.
The passport is the trust & the visa is the permission.
Thoug you may have a passport (ie trust) but dont have a visa (no access
permission) then you cannot access resource in other domain.
"Kenneth Keeley" wrote:
thank you for getting back to me.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@microsoft.com...
ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain should
have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other
domains.
What type of trust will be automatically created?
Will the default Domain Administrators for each of the domain be able to
access/administrate all of the domains or only the ones that I want them
to
be able to access. If they can access/administrate all domains what is
the
best way to stop them.
And one most imp thing is that if this domain tree structure of yours
would
be spanning over multiple IP Networks/Locations, than you need to
create
AD
sites & have replication configured .
Thanks for your help.
Kenneth Keeley
|
|
|
| Back to top |
|
|
Vicky
Guest
|
| Posted: Wed May 17, 2006 6:51 pm Post subject: Re: Child Domain Setup Quiestion |
|
|
did u prepare the forest for setting up a win 2003 dc as a Dc for child
domain in a win 2000 forest?
"Tan Lee Yew" wrote:
| Quote: | I've a Windows 2000 domain controller and recently, i've configured a child
domain (windows server 2003) to point to the Windows 2000 domain controller.
Now I have a problem.
All the windows 2k pro clients cannot access the child domain(win2k3). It
pops up the message : 'Logon Failure: Account currently disabled'. The
strange thing is, all the WinXP Pro can access to it.
What should i do to enable all accounts to access the child domain? I've
tried adding the Win2k domain users groups to the Win2k3 child domain, but
not working. Please help.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:C5DAF9C6-0546-415C-BF7A-4B0A05A76C71@microsoft.com...
The trust created is Bidirection, Implecit, Transitive trust between
domains
in the same tree.
There are three levels of Administration in a windows 2003 based
Forest/domain.
1] Enterprise Admin - have admin previlages to all the domains in the
forest.
2] Domain Admin - have admin prvilages to a specific domain
3] Administrator - have admin previlage to sepcific system (local admin)
By default the domain admin of the first domain in the forest also assumes
the forest admin previlages.
The domain admin of the child domain have admin previlages to the child
domain only & not to any other domain.
Now two things to remember. The difference between trust reletionship &
resoiurce access permission is like the difference between having a
Passport
& having a visa.
The passport is the trust & the visa is the permission.
Thoug you may have a passport (ie trust) but dont have a visa (no access
permission) then you cannot access resource in other domain.
"Kenneth Keeley" wrote:
thank you for getting back to me.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@microsoft.com...
ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain should
have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to grant
permissions to users/ groups to be able to access resources in other
domains.
What type of trust will be automatically created?
Will the default Domain Administrators for each of the domain be able to
access/administrate all of the domains or only the ones that I want them
to
be able to access. If they can access/administrate all domains what is
the
best way to stop them.
And one most imp thing is that if this domain tree structure of yours
would
be spanning over multiple IP Networks/Locations, than you need to
create
AD
sites & have replication configured .
Thanks for your help.
Kenneth Keeley
|
|
|
| Back to top |
|
|
Tan Lee Yew
Guest
|
| Posted: Thu May 18, 2006 5:16 am Post subject: Re: Child Domain Setup Quiestion |
|
|
u mean run adprep /forestprep and adprep /domainprep on the win2k domain?
yes. it's successfully done.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:E22C03B0-D5FE-445F-BEB4-7B3AC4C8C697@microsoft.com...
| Quote: | did u prepare the forest for setting up a win 2003 dc as a Dc for child
domain in a win 2000 forest?
"Tan Lee Yew" wrote:
I've a Windows 2000 domain controller and recently, i've configured a
child
domain (windows server 2003) to point to the Windows 2000 domain
controller.
Now I have a problem.
All the windows 2k pro clients cannot access the child domain(win2k3).
It
pops up the message : 'Logon Failure: Account currently disabled'. The
strange thing is, all the WinXP Pro can access to it.
What should i do to enable all accounts to access the child domain? I've
tried adding the Win2k domain users groups to the Win2k3 child domain,
but
not working. Please help.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:C5DAF9C6-0546-415C-BF7A-4B0A05A76C71@microsoft.com...
The trust created is Bidirection, Implecit, Transitive trust between
domains
in the same tree.
There are three levels of Administration in a windows 2003 based
Forest/domain.
1] Enterprise Admin - have admin previlages to all the domains in the
forest.
2] Domain Admin - have admin prvilages to a specific domain
3] Administrator - have admin previlage to sepcific system (local
admin)
By default the domain admin of the first domain in the forest also
assumes
the forest admin previlages.
The domain admin of the child domain have admin previlages to the
child
domain only & not to any other domain.
Now two things to remember. The difference between trust reletionship
&
resoiurce access permission is like the difference between having a
Passport
& having a visa.
The passport is the trust & the visa is the permission.
Thoug you may have a passport (ie trust) but dont have a visa (no
access
permission) then you cannot access resource in other domain.
"Kenneth Keeley" wrote:
thank you for getting back to me.
"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:5D250641-6B7D-4F2B-958E-3F300DEA9F5F@microsoft.com...
ell all that you have planned seems to be fine.
one thing is that you take care of the DNS setup. Each domain
should
have
a
AD integrated DNS server.
Also the trust relation is set automatically. You just need to
grant
permissions to users/ groups to be able to access resources in
other
domains.
What type of trust will be automatically created?
Will the default Domain Administrators for each of the domain be
able to
access/administrate all of the domains or only the ones that I want
them
to
be able to access. If they can access/administrate all domains what
is
the
best way to stop them.
And one most imp thing is that if this domain tree structure of
yours
would
be spanning over multiple IP Networks/Locations, than you need to
create
AD
sites & have replication configured .
Thanks for your help.
Kenneth Keeley
|
|
|
| Back to top |
|
|
|
|
|
|
