Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Cross Domain privialges for Domain Admins
Cross Domain privialges for Domain Admins [message #156139] Wed, 10 June 2009 20:26 Go to next message
blankmonkey  is currently offline blankmonkey
Messages: 7
Registered: June 2009
Junior Member
2008 native Domain setup (no 2003 or older)

/----Domain-Child1 (Users)
Domain-Parent---
\----Domain-Child2 (Servers,applications,
services)

I have complete control over all the domains.
It has been decided via Policy that all users will reside in Domain-Child1
What trusts need to be set up, groups setup, members added, etc. so that I
can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
Domain-Child2?

Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
and enterprise admin.
Re: Cross Domain privialges for Domain Admins [message #156159 is a reply to message #156139] Thu, 11 June 2009 08:24 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
By default all domains within a forest have a hierarchical and transitive
trust with one another. So it doesn't matter where the clients and users
reside. So my guess is who helped design this layout is still thinking in
terms of NT4. If you are doing this for security reasons then this isn't
correct, the security boundary is the forest not the domain, because of this
I would strongly suggest that you reconsider and create a a single domain
within your forest.

The forest structure you describe will require a minimum of 6 domain
controllers, to be properly protected in the event of any problems, if it
were a single domain it would then be only 2.

Ulf B Simon-Weidner has a short explanation on security boundaries that you
might want to read over:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/ security-boundary-forest-vs-domain.aspx



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
> 2008 native Domain setup (no 2003 or older)
>
> /----Domain-Child1 (Users)
> Domain-Parent---
> \----Domain-Child2 (Servers,applications,
> services)
>
> I have complete control over all the domains.
> It has been decided via Policy that all users will reside in Domain-Child1
> What trusts need to be set up, groups setup, members added, etc. so that
> I
> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
> Domain-Child2?
>
> Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
> and enterprise admin.
Re: Cross Domain privialges for Domain Admins [message #156160 is a reply to message #156139] Thu, 11 June 2009 10:19 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
> 2008 native Domain setup (no 2003 or older)
>
> /----Domain-Child1 (Users)
> Domain-Parent---
> \----Domain-Child2 (Servers,applications,
> services)
>
> I have complete control over all the domains.
> It has been decided via Policy that all users will reside in Domain-Child1
> What trusts need to be set up, groups setup, members added, etc. so that
> I
> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
> Domain-Child2?
>
> Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
> and enterprise admin.


I agree as well with Paul and Meinolf. Why bother with the child domains? I
don;t know your company's full business requirements or adminstrative
breakdown, but single domains work fine in 99% of the time. Otherwise, it
will complicate matters and introduce additional costs and administration
overhead, as well as complicate the DNS resolving infrastructure to support
it. As said, the security boundary is the forest, therefore, you can control
access by administrators by using OU delegation to specific locations or
departments meanwhile you having carte blanche on the forest.

Remember, use the KISS method. The more complicated it gets, especially if
not needing it to be, can introduce security issues as well. I've seen
global networks with 1000's of users all in one domain with no problems.
I've also seen global networks with multiple child domains with
complications that could have been avoided if it were one domain.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: Cross Domain privialges for Domain Admins [message #156171 is a reply to message #156139] Thu, 11 June 2009 10:00 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello blankmonkey,

I agree with Paul's advice and would redesign to a single forest domain.
This will make it also easier for administration and restore in case of failures.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> 2008 native Domain setup (no 2003 or older)
>
> /----Domain-Child1 (Users)
> Domain-Parent---
> \----Domain-Child2 (Servers,applications,
> services)
> I have complete control over all the domains.
> It has been decided via Policy that all users will reside in
> Domain-Child1
> What trusts need to be set up, groups setup, members added, etc. so
> that I
> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1
> and
> Domain-Child2?
> Remember, POLICY says user MUST reside in Domain-Child1, and I may not
> be and enterprise admin.
>
Re: Cross Domain privialges for Domain Admins [message #156182 is a reply to message #156160] Thu, 11 June 2009 12:17 Go to previous messageGo to next message
blankmonkey  is currently offline blankmonkey
Messages: 7
Registered: June 2009
Junior Member
Thank you all for your response, and I do agree completely with what you
say. But please note, this is a policy decision and out of my hands.
Redesigning it it not an option, management has dictated the current
situation.

So my original question remains.


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
> > 2008 native Domain setup (no 2003 or older)
> >
> > /----Domain-Child1 (Users)
> > Domain-Parent---
> > \----Domain-Child2 (Servers,applications,
> > services)
> >
> > I have complete control over all the domains.
> > It has been decided via Policy that all users will reside in Domain-Child1
> > What trusts need to be set up, groups setup, members added, etc. so that
> > I
> > can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
> > Domain-Child2?
> >
> > Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
> > and enterprise admin.
>
>
> I agree as well with Paul and Meinolf. Why bother with the child domains? I
> don;t know your company's full business requirements or adminstrative
> breakdown, but single domains work fine in 99% of the time. Otherwise, it
> will complicate matters and introduce additional costs and administration
> overhead, as well as complicate the DNS resolving infrastructure to support
> it. As said, the security boundary is the forest, therefore, you can control
> access by administrators by using OU delegation to specific locations or
> departments meanwhile you having carte blanche on the forest.
>
> Remember, use the KISS method. The more complicated it gets, especially if
> not needing it to be, can introduce security issues as well. I've seen
> global networks with 1000's of users all in one domain with no problems.
> I've also seen global networks with multiple child domains with
> complications that could have been avoided if it were one domain.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>
Re: Cross Domain privialges for Domain Admins [message #156190 is a reply to message #156182] Thu, 11 June 2009 12:33 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:B1D95994-339B-4F4C-AA7F-83BC683C501B@microsoft.com...
>
> Thank you all for your response, and I do agree completely with what you
> say. But please note, this is a policy decision and out of my hands.
> Redesigning it it not an option, management has dictated the current
> situation.
>
> So my original question remains.

As stated, no additional trusts are required. They are transitive across a
forest.

The Enterprise Admin account, or EA, which is also the default admin account
in the forest root domain, has carte blanche across the entire forest
(meaning it can logon to any domain and make changes).

If you want a child domain admin account to log on to another, then you have
to specifically add the admin account from that domain to the other domain's
local admin group.

Ace
Re: Cross Domain privialges for Domain Admins [message #156193 is a reply to message #156190] Thu, 11 June 2009 12:59 Go to previous messageGo to next message
blankmonkey  is currently offline blankmonkey
Messages: 7
Registered: June 2009
Junior Member
@Meinolf
TY, I will try this shortly

@Ace
The EA group is restricted to use by commity :(
Can you be more specific about the "other domains local admin group" I
tried the administrators group on a DC, and it failed.



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:B1D95994-339B-4F4C-AA7F-83BC683C501B@microsoft.com...
> >
> > Thank you all for your response, and I do agree completely with what you
> > say. But please note, this is a policy decision and out of my hands.
> > Redesigning it it not an option, management has dictated the current
> > situation.
> >
> > So my original question remains.
>
> As stated, no additional trusts are required. They are transitive across a
> forest.
>
> The Enterprise Admin account, or EA, which is also the default admin account
> in the forest root domain, has carte blanche across the entire forest
> (meaning it can logon to any domain and make changes).
>
> If you want a child domain admin account to log on to another, then you have
> to specifically add the admin account from that domain to the other domain's
> local admin group.
>
> Ace
>
>
>
>
Re: Cross Domain privialges for Domain Admins [message #156194 is a reply to message #156182] Thu, 11 June 2009 12:31 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello blankmonkey,

Create a global group in domain 1 and place the user account(domain admin)
within this group. Then create a universal group in domain 2 and place the
global group created in domain 1 into the universal group and place the universal
group in the domain admin group in domain 2.

Also see here about group scopes and the use of them:
http://technet.microsoft.com/en-us/library/cc755692.aspx

Additional i would still talk to the decision takers as a last option with
the disadvantages of their thoughts, if not done already.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you all for your response, and I do agree completely with what
> you say. But please note, this is a policy decision and out of my
> hands. Redesigning it it not an option, management has dictated the
> current situation.
>
> So my original question remains.
>
> "Ace Fekay [Microsoft Certified Trainer]" wrote:
>
>> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in
>> message news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
>>
>>> 2008 native Domain setup (no 2003 or older)
>>>
>>> /----Domain-Child1 (Users)
>>> Domain-Parent---
>>> \----Domain-Child2 (Servers,applications,
>>> services)
>>> I have complete control over all the domains.
>>> It has been decided via Policy that all users will reside in
>>> Domain-Child1
>>> What trusts need to be set up, groups setup, members added, etc. so
>>> that
>>> I
>>> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1
>>> and
>>> Domain-Child2?
>>> Remember, POLICY says user MUST reside in Domain-Child1, and I may
>>> not be and enterprise admin.
>>>
>> I agree as well with Paul and Meinolf. Why bother with the child
>> domains? I don;t know your company's full business requirements or
>> adminstrative breakdown, but single domains work fine in 99% of the
>> time. Otherwise, it will complicate matters and introduce additional
>> costs and administration overhead, as well as complicate the DNS
>> resolving infrastructure to support it. As said, the security
>> boundary is the forest, therefore, you can control access by
>> administrators by using OU delegation to specific locations or
>> departments meanwhile you having carte blanche on the forest.
>>
>> Remember, use the KISS method. The more complicated it gets,
>> especially if not needing it to be, can introduce security issues as
>> well. I've seen global networks with 1000's of users all in one
>> domain with no problems. I've also seen global networks with multiple
>> child domains with complications that could have been avoided if it
>> were one domain.
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> Microsoft Certified Trainer
>> aceman@mvps.RemoveThisPart.org
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> "Efficiency is doing things right; effectiveness is doing the right
>> things." - Peter F. Drucker
>> http://twitter.com/acefekay
Re: Cross Domain privialges for Domain Admins [message #156212 is a reply to message #156193] Thu, 11 June 2009 18:50 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:D6323B48-6864-4C4D-A6EA-FFFE65CA8BB6@microsoft.com...
> @Meinolf
> TY, I will try this shortly
>
> @Ace
> The EA group is restricted to use by commity :(
> Can you be more specific about the "other domains local admin group" I
> tried the administrators group on a DC, and it failed.
>


Add the Administrator from child domain1 to child domain2's local
Administrators group, not the Global Domain Admin group.

What do you mean by 'it failed?'

Ace
Re: Cross Domain privialges for Domain Admins [message #156213 is a reply to message #156212] Thu, 11 June 2009 19:10 Go to previous messageGo to next message
blankmonkey  is currently offline blankmonkey
Messages: 7
Registered: June 2009
Junior Member
On the child-domain2 domain controler, there is an "Administrators" group.
When I try to add my domain admin account from child-domain1 to the group, I
get an error;

DAMNIT!!

Ok, I SWEAR it didn't work yesterday!!!

Today, I added my domain admin user with no probelms, and was even able to
login RDP.

<Humbly hanging my head> Thank you Ace.


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:D6323B48-6864-4C4D-A6EA-FFFE65CA8BB6@microsoft.com...
> > @Meinolf
> > TY, I will try this shortly
> >
> > @Ace
> > The EA group is restricted to use by commity :(
> > Can you be more specific about the "other domains local admin group" I
> > tried the administrators group on a DC, and it failed.
> >
>
>
> Add the Administrator from child domain1 to child domain2's local
> Administrators group, not the Global Domain Admin group.
>
> What do you mean by 'it failed?'
>
> Ace
>
>
>
Re: Cross Domain privialges for Domain Admins [message #156215 is a reply to message #156213] Thu, 11 June 2009 19:32 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:EA4AD1C5-DF08-4B81-A942-2E99A6310C0D@microsoft.com...
>
> On the child-domain2 domain controler, there is an "Administrators" group.
> When I try to add my domain admin account from child-domain1 to the group,
> I
> get an error;
>
> DAMNIT!!
>
> Ok, I SWEAR it didn't work yesterday!!!
>
> Today, I added my domain admin user with no probelms, and was even able to
> login RDP.
>
> <Humbly hanging my head> Thank you Ace.




My pleasure! And don't worry about it, it's cool... it's all good!

Ace
Re: Cross Domain privialges for Domain Admins [message #160852 is a reply to message #156194] Wed, 09 September 2009 11:24 Go to previous messageGo to next message
dr_Lester  is currently offline dr_Lester  United States
Messages: 2
Registered: September 2009
Junior Member
Hi Meinolf Weber,
i don't understand, you answer:

I have created global group in dom1, and i have added domains
admin@dom1 groupe in members of this groupe.
after i create universal group in dom2 but :
in this groupe i can't browse other domain in members, but i can browse
other domain in members of but i don't see the global groupe create
before.

please can you explain me.

Regards
'Meinolf Weber [MVP-DS Wrote:
> ;4458930']Hello blankmonkey,
>
> Create a global group in domain 1 and place the user account(domain
> admin)
> within this group. Then create a universal group in domain 2 and place
> the
> global group created in domain 1 into the universal group and place the
> universal
> group in the domain admin group in domain 2.
>
> Also see here about group scopes and the use of them:
> http://technet.microsoft.com/en-us/library/cc755692.aspx
>
> Additional i would still talk to the decision takers as a last option
> with
> the disadvantages of their thoughts, if not done already.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Thank you all for your response, and I do agree completely with what
> > you say. But please note, this is a policy decision and out of my
> > hands. Redesigning it it not an option, management has dictated the
> > current situation.
> >
> > So my original question remains.
> >
> > "Ace Fekay [Microsoft Certified Trainer]" wrote:
> >
> >> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in
> >> message news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
> >>
> >>> 2008 native Domain setup (no 2003 or older)
> >>>
> >>> /----Domain-Child1 (Users)
> >>> Domain-Parent---
> >>> \----Domain-Child2 (Servers,applications,
> >>> services)
> >>> I have complete control over all the domains.
> >>> It has been decided via Policy that all users will reside in
> >>> Domain-Child1
> >>> What trusts need to be set up, groups setup, members added, etc.
> so
> >>> that
> >>> I
> >>> can use 1 user account, and be a Domain Admin in BOTH
> Domain-Child1
> >>> and
> >>> Domain-Child2?
> >>> Remember, POLICY says user MUST reside in Domain-Child1, and I may
> >>> not be and enterprise admin.
> >>>
> >> I agree as well with Paul and Meinolf. Why bother with the child
> >> domains? I don;t know your company's full business requirements or
> >> adminstrative breakdown, but single domains work fine in 99% of the
> >> time. Otherwise, it will complicate matters and introduce
> additional
> >> costs and administration overhead, as well as complicate the DNS
> >> resolving infrastructure to support it. As said, the security
> >> boundary is the forest, therefore, you can control access by
> >> administrators by using OU delegation to specific locations or
> >> departments meanwhile you having carte blanche on the forest.
> >>
> >> Remember, use the KISS method. The more complicated it gets,
> >> especially if not needing it to be, can introduce security issues
> as
> >> well. I've seen global networks with 1000's of users all in one
> >> domain with no problems. I've also seen global networks with
> multiple
> >> child domains with complications that could have been avoided if it
> >> were one domain.
> >>
> >> -- Ace
> >>
> >> This posting is provided "AS-IS" with no warranties or guarantees
> and
> >> confers no rights.
> >>
> >> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> >> Microsoft Certified Trainer
> >> aceman@mvps.RemoveThisPart.org
> >> For urgent issues, you may want to contact Microsoft PSS directly.
> >> Please check http://support.microsoft.com for regional support
> phone
> >> numbers.
> >>
> >> "Efficiency is doing things right; effectiveness is doing the right
> >> things." - Peter F. Drucker
> >> http://twitter.com/acefekay


--
dr_Lester
------------------------------------------------------------ ------------
dr_Lester's Profile: http://forums.techarena.in/members/133726.htm
View this thread: http://forums.techarena.in/active-directory/1195414.htm

http://forums.techarena.in
Re: Cross Domain privialges for Domain Admins [message #160873 is a reply to message #160852] Wed, 09 September 2009 23:34 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dr_Lester" <dr_Lester.3y97ra@DoNotSpam.com> wrote in message
news:dr_Lester.3y97ra@DoNotSpam.com...

Dr Lester,

Since the post you are replying to is an older post, and the person that
originally posted possibly has a different setup than yours, it would
probably be better that you started fresh and posted your own new thread and
stated your current setup, what operating system version, what domain and
forest functional levels are set to, as well as if domain1 and domain2 part
of the same forest, different forest with a forest trust, two way NTLM
trust, how is DNS setup between the domains or the forest trust, is there a
DNS parent-child delegation in the forest, etc.

From what you posted, it appears that the two domains may be in the same
forest, and you created the Universal group in a child domain. I would
suggest to create your Universal groups in the Forest root domain. If you
cannot see a Universal, it can also be caused by one domain being a
different functional level.

If my assumptions are incorrect regarding your setup, please elaborate on
your infrastructure as I mentioned above. This will help better understand
what you have to better help.

Ace

>
> Hi Meinolf Weber,
> i don't understand, you answer:
>
> I have created global group in dom1, and i have added domains
> admin@dom1 groupe in members of this groupe.
> after i create universal group in dom2 but :
> in this groupe i can't browse other domain in members, but i can browse
> other domain in members of but i don't see the global groupe create
> before.
>
> please can you explain me.
>
> Regards
> 'Meinolf Weber [MVP-DS Wrote:
>> ;4458930']Hello blankmonkey,
>>
>> Create a global group in domain 1 and place the user account(domain
>> admin)
>> within this group. Then create a universal group in domain 2 and place
>> the
>> global group created in domain 1 into the universal group and place the
>> universal
>> group in the domain admin group in domain 2.
>>
>> Also see here about group scopes and the use of them:
>> http://technet.microsoft.com/en-us/library/cc755692.aspx
>>
>> Additional i would still talk to the decision takers as a last option
>> with
>> the disadvantages of their thoughts, if not done already.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > Thank you all for your response, and I do agree completely with what
>> > you say. But please note, this is a policy decision and out of my
>> > hands. Redesigning it it not an option, management has dictated the
>> > current situation.
>> >
>> > So my original question remains.
>> >
>> > "Ace Fekay [Microsoft Certified Trainer]" wrote:
>> >
>> >> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in
>> >> message news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D8E@microsoft.com...
>> >>
>> >>> 2008 native Domain setup (no 2003 or older)
>> >>>
>> >>> /----Domain-Child1 (Users)
>> >>> Domain-Parent---
>> >>> \----Domain-Child2 (Servers,applications,
>> >>> services)
>> >>> I have complete control over all the domains.
>> >>> It has been decided via Policy that all users will reside in
>> >>> Domain-Child1
>> >>> What trusts need to be set up, groups setup, members added, etc.
>> so
>> >>> that
>> >>> I
>> >>> can use 1 user account, and be a Domain Admin in BOTH
>> Domain-Child1
>> >>> and
>> >>> Domain-Child2?
>> >>> Remember, POLICY says user MUST reside in Domain-Child1, and I may
>> >>> not be and enterprise admin.
>> >>>
>> >> I agree as well with Paul and Meinolf. Why bother with the child
>> >> domains? I don;t know your company's full business requirements or
>> >> adminstrative breakdown, but single domains work fine in 99% of the
>> >> time. Otherwise, it will complicate matters and introduce
>> additional
>> >> costs and administration overhead, as well as complicate the DNS
>> >> resolving infrastructure to support it. As said, the security
>> >> boundary is the forest, therefore, you can control access by
>> >> administrators by using OU delegation to specific locations or
>> >> departments meanwhile you having carte blanche on the forest.
>> >>
>> >> Remember, use the KISS method. The more complicated it gets,
>> >> especially if not needing it to be, can introduce security issues
>> as
>> >> well. I've seen global networks with 1000's of users all in one
>> >> domain with no problems. I've also seen global networks with
>> multiple
>> >> child domains with complications that could have been avoided if it
>> >> were one domain.
>> >>
>> >> -- Ace
>> >>
>> >> This posting is provided "AS-IS" with no warranties or guarantees
>> and
>> >> confers no rights.
>> >>
>> >> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> >> Microsoft Certified Trainer
>> >> aceman@mvps.RemoveThisPart.org
>> >> For urgent issues, you may want to contact Microsoft PSS directly.
>> >> Please check http://support.microsoft.com for regional support
>> phone
>> >> numbers.
>> >>
>> >> "Efficiency is doing things right; effectiveness is doing the right
>> >> things." - Peter F. Drucker
>> >> http://twitter.com/acefekay
>
>
> --
> dr_Lester
> ------------------------------------------------------------ ------------
> dr_Lester's Profile: http://forums.techarena.in/members/133726.htm
> View this thread: http://forums.techarena.in/active-directory/1195414.htm
>
> http://forums.techarena.in
>
Previous Topic:Taskpads
Next Topic:LDAP queries
Goto Forum:
  


Current Time: Wed Oct 18 01:31:16 EDT 2017

Total time taken to generate the page: 0.14305 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software