Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD integration
AD integration [message #160046] Mon, 17 August 2009 08:24 Go to next message
Mel.K  is currently offline Mel.K  United States
Messages: 38
Registered: July 2009
Member
Hello Folks:



I have a question regarding a merger of two companies and how they can
enable seamless client access before they actually merge their AD domains.



Background:



DEF Inc. has 10 locations and GHI Inc. also has 10 locations. Both are on AD
2003 and have one forest/domain each. They both use AD-integrated DNS and
have all their AD sites/subnets set up properly. Eventually they will both
merge into a new AD forest/domain or consolidate into one of the existing
forests/domains. Right now they have connected all their LANs and all 20
locations can see each other.



Scenario:



At this point, no AD merging or consolidation has been done. JSmith from DEF
goes into a GHI office to work for the day. How does JSmith's computer find
a DC for DEF? Since he's in a GHI office, his computer is getting a DHCP
assigned IP address from a GHI server. DHCP also points his computer to a
GHI DNS server. The GHI DNS zones have no service records for the DEF AD
domain so JSmith will never be able to find a DEF DC.



Desired outcome:



Allow all employees from both companies to work from any of the 20 combined
locations and be able to seamlessly log on to their respective AD domains.


--
Thank you,
Mel K.
MCSA: M
Re: AD integration [message #160051 is a reply to message #160046] Mon, 17 August 2009 09:48 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Mel K." <Mel.K@nowhere.com> wrote in message
news:eICm8Z0HKHA.5956@TK2MSFTNGP03.phx.gbl...
> Hello Folks:
>
>
>
> I have a question regarding a merger of two companies and how they can
> enable seamless client access before they actually merge their AD domains.
>
>
>
> Background:
>
>
>
> DEF Inc. has 10 locations and GHI Inc. also has 10 locations. Both are on
> AD 2003 and have one forest/domain each. They both use AD-integrated DNS
> and have all their AD sites/subnets set up properly. Eventually they will
> both merge into a new AD forest/domain or consolidate into one of the
> existing forests/domains. Right now they have connected all their LANs and
> all 20 locations can see each other.
>
>
>
> Scenario:
>
>
>
> At this point, no AD merging or consolidation has been done. JSmith from
> DEF goes into a GHI office to work for the day. How does JSmith's computer
> find a DC for DEF? Since he's in a GHI office, his computer is getting a
> DHCP assigned IP address from a GHI server. DHCP also points his computer
> to a GHI DNS server. The GHI DNS zones have no service records for the DEF
> AD domain so JSmith will never be able to find a DEF DC.
>
>
>
> Desired outcome:
>
>
>
> Allow all employees from both companies to work from any of the 20
> combined locations and be able to seamlessly log on to their respective AD
> domains.
>
>
> --
> Thank you,
> Mel K.
> MCSA: M
>


One thing to start off with is configure a conditional forwarder from
company1 to company2 and vice versa, then create a forest trust between the
two forests. Both forests must be in Windows 2003 Native mode. After that,
add the Domain Users group from company1 to company2's Local Users group,
and vice versa, then the Domain Admins group of company1 to company2's local
administrator group and vice versa.

In a nutshell:

============================================================ ======
Forest Trusts

Scenario:

Forest A
Forest B
Forest trust required between both Forests.

Forest trusts rely on DNS. DNS must be configured to allow resolution
between both Forests.

Configure Conditional Forwarders on all of A's DNS servers to two of B's DNS
servers, and vice versa.

Make absolutely sure ALL firewall ports are opened between the two
locations, otherwise things will not work.

Both forests must be a minimum Windows 2003 Funtional Levels, which means
each domain in the forest must be at that level before the forest levels can
be raised.

Ensure that no DCs are multihomed, no DCs have RRAS installed, either forest
domain name is not a single label name ('domain' vs the minimal required
format of
'domain.com,' 'domain.local,' etc), or there are no references to any other
DNS server in any IP properties to an ISP's or router DNS, and insure that
all SRV
records exist in DNS, and there are no Event log errors on any of the DCs,
otherwise expect errors such as lack of communication and authentication to
occur.

Then once DNS resolution has been confirmed, and the trust configured and
verified, add the Domain Users from A to the Local Domain Users on B, and
vice versa, and do the same for the Domain Admins of A to the Local
Administrators group on B, and vice versa. Configure permissions
appropriately on resources.

Please read the following to better help with the trust issue.

Checklist: Creating a forest trust: Active DirectoryJan 21, 2005 ...
(Optional) Review the various trust types and understand forest trust
concepts ... Raise the forest functional level. Create a forest trust. ...
http://technet.microsoft.com/en-us/library/cc756852(WS.10).aspx

Create a forest trust: Active DirectoryJan 21, 2005 ... To successfully
create a forest trust, your environment will need to be set up properly. For
more information, see the checklist for ...
http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx
============================================================ ======

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: AD integration [message #160054 is a reply to message #160051] Mon, 17 August 2009 10:56 Go to previous messageGo to next message
Mel.K  is currently offline Mel.K  United States
Messages: 38
Registered: July 2009
Member
Duh! I forgot all about conditional forwarding (Ive never had to use it
before). Im not trying to set up any type of forest/domain trusts at this
point. I simply need to allow users to logon to their own AD domain from any
office. That being the case, I think all I need is to set up conditional
forwarding on both sides. Can I use dnscmd or something else to apply the
forwarders to all DNS servers automatically? Thanks.


--
Thank you,
Mel K.
MCSA: M
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uFvDhI1HKHA.1488@TK2MSFTNGP03.phx.gbl...
> "Mel K." <Mel.K@nowhere.com> wrote in message
> news:eICm8Z0HKHA.5956@TK2MSFTNGP03.phx.gbl...
>> Hello Folks:
>>
>>
>>
>> I have a question regarding a merger of two companies and how they can
>> enable seamless client access before they actually merge their AD
>> domains.
>>
>>
>>
>> Background:
>>
>>
>>
>> DEF Inc. has 10 locations and GHI Inc. also has 10 locations. Both are on
>> AD 2003 and have one forest/domain each. They both use AD-integrated DNS
>> and have all their AD sites/subnets set up properly. Eventually they will
>> both merge into a new AD forest/domain or consolidate into one of the
>> existing forests/domains. Right now they have connected all their LANs
>> and all 20 locations can see each other.
>>
>>
>>
>> Scenario:
>>
>>
>>
>> At this point, no AD merging or consolidation has been done. JSmith from
>> DEF goes into a GHI office to work for the day. How does JSmith's
>> computer find a DC for DEF? Since he's in a GHI office, his computer is
>> getting a DHCP assigned IP address from a GHI server. DHCP also points
>> his computer to a GHI DNS server. The GHI DNS zones have no service
>> records for the DEF AD domain so JSmith will never be able to find a DEF
>> DC.
>>
>>
>>
>> Desired outcome:
>>
>>
>>
>> Allow all employees from both companies to work from any of the 20
>> combined locations and be able to seamlessly log on to their respective
>> AD domains.
>>
>>
>> --
>> Thank you,
>> Mel K.
>> MCSA: M
>>
>
>
> One thing to start off with is configure a conditional forwarder from
> company1 to company2 and vice versa, then create a forest trust between
> the two forests. Both forests must be in Windows 2003 Native mode. After
> that, add the Domain Users group from company1 to company2's Local Users
> group, and vice versa, then the Domain Admins group of company1 to
> company2's local administrator group and vice versa.
>
> In a nutshell:
>
> ============================================================ ======
> Forest Trusts
>
> Scenario:
>
> Forest A
> Forest B
> Forest trust required between both Forests.
>
> Forest trusts rely on DNS. DNS must be configured to allow resolution
> between both Forests.
>
> Configure Conditional Forwarders on all of A's DNS servers to two of B's
> DNS servers, and vice versa.
>
> Make absolutely sure ALL firewall ports are opened between the two
> locations, otherwise things will not work.
>
> Both forests must be a minimum Windows 2003 Funtional Levels, which means
> each domain in the forest must be at that level before the forest levels
> can be raised.
>
> Ensure that no DCs are multihomed, no DCs have RRAS installed, either
> forest domain name is not a single label name ('domain' vs the minimal
> required format of
> 'domain.com,' 'domain.local,' etc), or there are no references to any
> other DNS server in any IP properties to an ISP's or router DNS, and
> insure that all SRV
> records exist in DNS, and there are no Event log errors on any of the DCs,
> otherwise expect errors such as lack of communication and authentication
> to occur.
>
> Then once DNS resolution has been confirmed, and the trust configured and
> verified, add the Domain Users from A to the Local Domain Users on B, and
> vice versa, and do the same for the Domain Admins of A to the Local
> Administrators group on B, and vice versa. Configure permissions
> appropriately on resources.
>
> Please read the following to better help with the trust issue.
>
> Checklist: Creating a forest trust: Active DirectoryJan 21, 2005 ...
> (Optional) Review the various trust types and understand forest trust
> concepts ... Raise the forest functional level. Create a forest trust. ...
> http://technet.microsoft.com/en-us/library/cc756852(WS.10).aspx
>
> Create a forest trust: Active DirectoryJan 21, 2005 ... To successfully
> create a forest trust, your environment will need to be set up properly.
> For more information, see the checklist for ...
> http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx
> ============================================================ ======
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
Re: AD integration [message #160058 is a reply to message #160054] Mon, 17 August 2009 11:44 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Mel K." <Mel.K@nowhere.com> wrote in message
news:eQFTpu1HKHA.1340@TK2MSFTNGP05.phx.gbl...
> Duh! I forgot all about conditional forwarding (I’ve never had to use it
> before). I’m not trying to set up any type of forest/domain trusts at this
> point. I simply need to allow users to logon to their own AD domain from
> any office. That being the case, I think all I need is to set up
> conditional forwarding on both sides. Can I use dnscmd or something else
> to apply the forwarders to all DNS servers automatically? Thanks.
>


Going on memory (Trying to remember the switches)...


dnscmd servername.company1.com /zoneadd company2.com /forwarder
{IPAddressOfCompany2's DNS}

or

dnscmd servername.company1.com /zoneadd company2.com /DsForwarder
{IPAddressOfCompany2's DNS}


Here's more info if I have it wrong.

Dnscmd Syntax: Domain Name System(DNS)Nov 5, 2007 ... Art Image dnscmd
ServerName Command [Command Parameters] ...... or /dsforwarder creates a
zone that performs conditional forwarding. ...
http://technet.microsoft.com/en-us/library/cc756116(WS.10).aspx

Dnscmddnscmd /resetforwarders. Sets DNS servers to forward recursive
queries. ...... or /dsforwarder creates a zone that performs conditional
forwarding. ...
http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx

DNS Conditional Forwarders
http://msmvps.com/blogs/ulfbsimonweidner/archive/2006/09/30/ DNS-Conditional-Forwarders-_2D00_-AD-integrated.aspx

Ace
Previous Topic:ADMT and SID Filtering
Next Topic:network drive drag and drop prompt
Goto Forum:
  


Current Time: Sat Jan 20 08:29:43 MST 2018

Total time taken to generate the page: 0.02040 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software