Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » 2 DC's in single domain with 2 Vlans
2 DC's in single domain with 2 Vlans [message #156037] Tue, 09 June 2009 14:38 Go to next message
Maki  is currently offline Maki
Messages: 10
Registered: September 2009
Junior Member
I've got a question about this scenario: same company, two different staff
groups: Staff A and Staff B. Each one is separated by different vlans. So
one is on for instance 172.16.a.b network and the other is on a 192.168.16.a
network. They should not see each other at all. Now, if the domain is called
company.com, can I assume that:
1. I can create 2 DC's with Active Directory - one for each group of staff
and call them staffA.company.com and staffB.company.com? Remember staffA is
on 172 network and staffB on 192...Oh, also - each server is also a
DHCP/DNS/Printer/Antivirus server as the company doesn't have enough money to
follow Microsoft recommendations. I am trying to picture if I go to a membr
of Staff A and want to join his computer to the domain - what do I type in
the domain bit when joining the computer? company.com or staffA.company.com?
Do I just let te ip address help direct the computer to the particular DC?
How would I connect them to particular DC they should belong to? Or do I need
to create parent site company.com and then child sites staffA.company.com and
staffB.company.com?

2. If the 2 DC's can be within same domain as above initially thought - what
if I add a mail exchange server called mail and only want it to be for StaffA
(staffB have no need to use email server) - can I just connect
staffA.company.com to mail.company.com? I assume staff B will not be able to
see the mail server then?

Am new at all this so was just wondering.

Thanks.
Re: 2 DC's in single domain with 2 Vlans [message #156041 is a reply to message #156037] Tue, 09 June 2009 16:09 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello maki,

1. You have to plan your setup if you really need 2 domains or if one domain
with 2 sites will be enough. Normally you need different domains in different
forest when you have the need to create security boundaries. If this is one
company one domain with 2 sites should be enough, this has nothing to do
with the ip subnets you use, even in one domain with multiple sites you cna
use different subnets without any problem.

2. If you have a mailserver in one domain in a forest and like to use it
in another domain in the forest you have to run exchange /domainprep in the
domain without exchange to prepare AD for the needed attributes.

So please clarify what you are trying to achive, either with one domain and
2 sites or 2 doamins in one forest or 2 forests with one domain each.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've got a question about this scenario: same company, two different
> staff
> groups: Staff A and Staff B. Each one is separated by different
> vlans. So
> one is on for instance 172.16.a.b network and the other is on a
> 192.168.16.a
> network. They should not see each other at all. Now, if the domain is
> called
> company.com, can I assume that:
> 1. I can create 2 DC's with Active Directory - one for each group of
> staff
> and call them staffA.company.com and staffB.company.com? Remember
> staffA is
> on 172 network and staffB on 192...Oh, also - each server is also a
> DHCP/DNS/Printer/Antivirus server as the company doesn't have enough
> money to
> follow Microsoft recommendations. I am trying to picture if I go to a
> membr
> of Staff A and want to join his computer to the domain - what do I
> type in
> the domain bit when joining the computer? company.com or
> staffA.company.com?
> Do I just let te ip address help direct the computer to the particular
> DC?
> How would I connect them to particular DC they should belong to? Or do
> I need
> to create parent site company.com and then child sites
> staffA.company.com and
> staffB.company.com?
> 2. If the 2 DC's can be within same domain as above initially thought
> - what if I add a mail exchange server called mail and only want it to
> be for StaffA (staffB have no need to use email server) - can I just
> connect staffA.company.com to mail.company.com? I assume staff B will
> not be able to see the mail server then?
>
> Am new at all this so was just wondering.
>
> Thanks.
>
Re: 2 DC's in single domain with 2 Vlans [message #156042 is a reply to message #156037] Tue, 09 June 2009 16:19 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
Domains have absolutley nothing to do with IP Segments.
IP Segments have absolutely nothing to do Domains.

Define "see each other"?
If you want to block something,..then block it,...but just it,...you can not
simply "cut off" the two IP Segments from each other and expect the Domain
to survive.

Routers are Layer3 with a relationship to Layer4,...security does not begin
and end with Layers3 & 4. Blocking something with a Router ACL is not the
only way to deal with security.

Security is about controlling access to Resources. Controlling access to
Resources depends on what the Resources are and what function, application,
or service that "provides" the Resources to the users. Ask yourself how you
would handle this if they were all on the same IP Segment,...the correct
answer to that question is your answer.

Router ACLs are only for "broad & crude" access controls.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"maki" <maki@discussions.microsoft.com> wrote in message
news:1D32FFEC-8246-477B-81E2-18439DEE9130@microsoft.com...
> I've got a question about this scenario: same company, two different staff
> groups: Staff A and Staff B. Each one is separated by different vlans. So
> one is on for instance 172.16.a.b network and the other is on a
> 192.168.16.a
> network. They should not see each other at all. Now, if the domain is
> called
> company.com, can I assume that:
> 1. I can create 2 DC's with Active Directory - one for each group of staff
> and call them staffA.company.com and staffB.company.com? Remember staffA
> is
> on 172 network and staffB on 192...Oh, also - each server is also a
> DHCP/DNS/Printer/Antivirus server as the company doesn't have enough money
> to
> follow Microsoft recommendations. I am trying to picture if I go to a
> membr
> of Staff A and want to join his computer to the domain - what do I type in
> the domain bit when joining the computer? company.com or
> staffA.company.com?
> Do I just let te ip address help direct the computer to the particular DC?
> How would I connect them to particular DC they should belong to? Or do I
> need
> to create parent site company.com and then child sites staffA.company.com
> and
> staffB.company.com?
>
> 2. If the 2 DC's can be within same domain as above initially thought -
> what
> if I add a mail exchange server called mail and only want it to be for
> StaffA
> (staffB have no need to use email server) - can I just connect
> staffA.company.com to mail.company.com? I assume staff B will not be able
> to
> see the mail server then?
>
> Am new at all this so was just wondering.
>
> Thanks.
Re: 2 DC's in single domain with 2 Vlans [message #156086 is a reply to message #156037] Wed, 10 June 2009 08:33 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Inline

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"maki" <maki@discussions.microsoft.com> wrote in message
news:1D32FFEC-8246-477B-81E2-18439DEE9130@microsoft.com...
> I've got a question about this scenario: same company, two different staff
> groups: Staff A and Staff B. Each one is separated by different vlans. So
> one is on for instance 172.16.a.b network and the other is on a
> 192.168.16.a
> network. They should not see each other at all. Now, if the domain is
> called
> company.com, can I assume that:
> 1. I can create 2 DC's with Active Directory - one for each group of staff
> and call them staffA.company.com and staffB.company.com?

Seems like with limited resources you should be using the two dc's for fault
tolerance and seperating the two with different OU's. If you have a dc
crash no one in that domain will be able to auhtenticate until the dc comes
back online If you have to reboot the DC, no new tickets (Kerberos),
logons, etc.. until the DC comes back online. So I would rethink your
strategy to see how you can work this out since you are so cash strapped.

Remember staffA is
> on 172 network and staffB on 192...Oh, also - each server is also a
> DHCP/DNS/Printer/Antivirus server as the company doesn't have enough money
> to
> follow Microsoft recommendations. I am trying to picture if I go to a
> membr
> of Staff A and want to join his computer to the domain - what do I type in
> the domain bit when joining the computer? company.com or
> staffA.company.com?
> Do I just let te ip address help direct the computer to the particular DC?
> How would I connect them to particular DC they should belong to? Or do I
> need
> to create parent site company.com and then child sites staffA.company.com
> and
> staffB.company.com?

Each domain doesn't need a root. When you go to join the domain you will
enter the AD domain name and it will then ask you for a user id and password
that has the authority to join a pc to the domain. By default every common
user in a domain has the authority to join 10 pcs.

>
> 2. If the 2 DC's can be within same domain as above initially thought -
> what
> if I add a mail exchange server called mail and only want it to be for
> StaffA
> (staffB have no need to use email server) - can I just connect
> staffA.company.com to mail.company.com? I assume staff B will not be able
> to
> see the mail server then?

Yes all can ping this Exchange server but only those given an account within
Exchange could use the machine.

>
> Am new at all this so was just wondering.

It appears you are in way over your head, so I would recommend you get your
self a good first book on Active Directory and start learning how to build
and maintain it.

Best of luck

>
> Thanks.
Previous Topic:multiple User logon name?
Next Topic:site active directory brandwidth
Goto Forum:
  


Current Time: Wed Oct 18 01:28:12 EDT 2017

Total time taken to generate the page: 0.03914 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software