Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Top Forest controller for existing multiple Forest.
Top Forest controller for existing multiple Forest. [message #301547] Wed, 28 October 2009 20:41 Go to next message
Rush  is currently offline Rush  Japan
Messages: 9
Registered: October 2009
Junior Member
We have 7-8 forests in Asia region different countries (some are
single domain forests) in WAN and fair charce of expansions. At the
moment no trust relation between them. Europe head office has forest
and there have trust relations between other Europe regions. if we
want to make a trust relationship with Europe and Asia , Can we create
a forest on top of all the Asia regional forests (example 'Asia
Forest') like a Asia forest controller,add/trust relation all the Asia
regional forest to this and make trust relationship with Europe
Forest. The reason instead of adding every Asia regional forest one by
one to Europe we want to control Asia in one forest.
Technically is this possible ?
Re: Top Forest controller for existing multiple Forest. [message #301558 is a reply to message #301547] Wed, 28 October 2009 21:02 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Rush" <rasikaf@gmail.com> wrote in message
news:f224bc22-3079-4ad6-85de-9e6435f63587@b25g2000prb.googlegroups.com...
> We have 7-8 forests in Asia region different countries (some are
> single domain forests) in WAN and fair charce of expansions. At the
> moment no trust relation between them. Europe head office has forest
> and there have trust relations between other Europe regions. if we
> want to make a trust relationship with Europe and Asia , Can we create
> a forest on top of all the Asia regional forests (example 'Asia
> Forest') like a Asia forest controller,add/trust relation all the Asia
> regional forest to this and make trust relationship with Europe
> Forest. The reason instead of adding every Asia regional forest one by
> one to Europe we want to control Asia in one forest.
> Technically is this possible ?
>
>


Actually the best way to do it is to migrate all the forests (collapsing)
them into one forest/domain. Otherwise, you can create trusts, but then
would need to be individually created. NTLM trusts are not transitive
between internal domains since they are created between specific domains.
Forest trusts (as long as minimal Windows 2003 Forest Function Level) are
transitive between all domains between both forests (if you want them to
be), but this transitivity stops there, hence why you would need multiple
trusts, one for each Asian forest from the Europe HQ forest/domain.

With what you've described, it sounds like the whole infrastructure should
be under one forest, with a child domain created for each location/region.
This will provide intra-forest built-in default trusts between all domains,
centralized control, common Schema, as well as child domain delegation to
regional offices, and under the same Exchange organization.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Top Forest controller for existing multiple Forest. [message #301689 is a reply to message #301547] Thu, 29 October 2009 01:00 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Rush wrote:
> We have 7-8 forests in Asia region different countries (some are
> single domain forests) in WAN and fair charce of expansions. At the
> moment no trust relation between them. Europe head office has forest
> and there have trust relations between other Europe regions. if we
> want to make a trust relationship with Europe and Asia , Can we create
> a forest on top of all the Asia regional forests (example 'Asia
> Forest') like a Asia forest controller,add/trust relation all the Asia
> regional forest to this and make trust relationship with Europe
> Forest. The reason instead of adding every Asia regional forest one by
> one to Europe we want to control Asia in one forest.
> Technically is this possible ?

I concur with Ace here. While your current primary goal is to have
trusts between your forests, I would go a step further and try to
consolidate as much forests and domains into a single forest as I could.
It is not just about the trusts but you lessen the pain of complexity
such a infrastructure brings.

Cheers,
Florian
Re: Top Forest controller for existing multiple Forest. [message #301699 is a reply to message #301547] Thu, 29 October 2009 01:20 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Rush,

If you need a new 'top' forest level in Asia, you have to create a complete
new forest and migrate all existing ones into it. This sounds a real complex
step which i think is more work in preparing/testing and also administering
then having trusts between the Asia and Europe forests.

But as your question was is it technically possible to create a new forest
and add all exsiting ones into it, yes.

Use ADMT3(2003 and lower) or ADMT3.1(2008) to migrate to a new built forest.

v3:
http://www.microsoft.com/downloads/details.aspx?familyid=B1F 816C0-4E2B-4E5D-B256-1AC304062367&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=6F8 6937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en

v3.1:
http://www.microsoft.com/downloads/details.aspx?familyid=6D7 10919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=AE2 79D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have 7-8 forests in Asia region different countries (some are
> single domain forests) in WAN and fair charce of expansions. At the
> moment no trust relation between them. Europe head office has forest
> and there have trust relations between other Europe regions. if we
> want to make a trust relationship with Europe and Asia , Can we create
> a forest on top of all the Asia regional forests (example 'Asia
> Forest') like a Asia forest controller,add/trust relation all the Asia
> regional forest to this and make trust relationship with Europe
> Forest. The reason instead of adding every Asia regional forest one by
> one to Europe we want to control Asia in one forest.
> Technically is this possible ?
Re: Top Forest controller for existing multiple Forest. [message #301748 is a reply to message #301689] Thu, 29 October 2009 03:47 Go to previous messageGo to next message
Rush  is currently offline Rush  Japan
Messages: 9
Registered: October 2009
Junior Member
On Oct 29, 4:00 pm, "Florian Frommherz [MVP]"
<flor...@frickelsoft.net> wrote:
> Howdie!
>
> Rush wrote:
> > We have 7-8 forests in Asia region different countries (some are
> > single domain forests) in WAN and fair charce of expansions. At the
> > moment no trust relation between them.  Europe head office hasforest
> > and there have trust relations between other Europe regions. if we
> > want to make a trust relationship with Europe and Asia , Can we create
> > aforestontopof all the Asia regional forests (example 'Asia
> >Forest') like a Asiaforestcontroller,add/trust relation all the Asia
> > regionalforestto this  and make trust relationship with Europe
> >Forest. The reason instead of adding every Asia regionalforestone by
> > one to Europe we want to control Asia in oneforest.
> > Technically is this possible ?
>
> I concur with Ace here. While your current primary goal is to have
> trusts between your forests, I would go a step further and try to
> consolidate as much forests and domains into a singleforestas I could.
> It is not just about the trusts but you lessen the pain of complexity
> such a infrastructure brings.
>
> Cheers,
> Florian

I also agree infrastructure wise that the best scenario we can
achieve. but there some other things wont allow for that scenario, as
I detailed with ACE . Anyway Thank you, please check the answer and
suggestion i ask from ACE, if you can tell me what is you r opinion
about it ,im verry happy to hear.
Re: Top Forest controller for existing multiple Forest. [message #301751 is a reply to message #301699] Thu, 29 October 2009 03:50 Go to previous messageGo to next message
Rush  is currently offline Rush  Japan
Messages: 9
Registered: October 2009
Junior Member
Hello Meinolf Weber

Thank you for your answer that knowing me that Technically its
possiblea and for the tool links.
If i be honest with you, i love to migrate to one forest but there is
no option for me to migrate, Let me know hat do you think about what i
ask from ACE?




On Oct 29, 4:20 pm, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de>
wrote:
> Hello Rush,
>
> If you need a new 'top'forestlevel in Asia, you have to create a complete
> newforestand migrate allexistingones into it. This sounds a real complex
> step which i think is more work in preparing/testing and also administering
> then having trusts between the Asia and Europe forests.
>
> But as your question was is it technically possible to create a newforest
> and add all exsiting ones into it, yes.
>
> Use ADMT3(2003 and lower) or ADMT3.1(2008) to migrate to a new builtforest.
>
> v3:http://www.microsoft.com/downloads/details.aspx?familyid= B1F816C0-4E2...
>
> http://www.microsoft.com/downloads/details.aspx?familyid=6F8 6937B-533....
>
> v3.1:http://www.microsoft.com/downloads/details.aspx?familyi d=6D710919-1BA...
>
> http://www.microsoft.com/downloads/details.aspx?familyid=AE2 79D01-7DC....
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > We have 7-8 forests in Asia region different countries (some are
> > single domain forests) in WAN and fair charce of expansions. At the
> > moment no trust relation between them.  Europe head office hasforest
> > and there have trust relations between other Europe regions. if we
> > want to make a trust relationship with Europe and Asia , Can we create
> > aforestontopof all the Asia regional forests (example 'Asia
> >Forest') like a Asiaforestcontroller,add/trust relation all the Asia
> > regionalforestto this  and make trust relationship with Europe
> >Forest. The reason instead of adding every Asia regionalforestone by
> > one to Europe we want to control Asia in oneforest.
> > Technically is this possible ?
Re: Top Forest controller for existing multiple Forest. [message #301767 is a reply to message #301751] Thu, 29 October 2009 04:09 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Rush,

I can not really follow your question about Ace. He listed all advantages
of a complete forest with multiple domains for each location and Florian
used the option to separate all domains into single forests with trusts between
the needed ones only, if i understand Florian correct.

Basically you can not have a 'root' where you can connect all Asia forests
to and then connect this one to Europe 'root', because they don't exist.
So you have to built a root in Europe and Asia or use the forest connections
on each.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Meinolf Weber
>
> Thank you for your answer that knowing me that Technically its
> possiblea and for the tool links.
> If i be honest with you, i love to migrate to one forest but there is
> no option for me to migrate, Let me know hat do you think about what i
> ask from ACE?
> On Oct 29, 4:20 pm, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de>
> wrote:
>
>> Hello Rush,
>>
>> If you need a new 'top'forestlevel in Asia, you have to create a
>> complete newforestand migrate allexistingones into it. This sounds a
>> real complex step which i think is more work in preparing/testing and
>> also administering then having trusts between the Asia and Europe
>> forests.
>>
>> But as your question was is it technically possible to create a
>> newforest and add all exsiting ones into it, yes.
>>
>> Use ADMT3(2003 and lower) or ADMT3.1(2008) to migrate to a new
>> builtforest.
>>
>> v3:http://www.microsoft.com/downloads/details.aspx?familyid= B1F816C0-
>> 4E2...
>>
>> http://www.microsoft.com/downloads/details.aspx?familyid=6F8 6937B-533
>> ...
>>
>> v3.1:http://www.microsoft.com/downloads/details.aspx?familyi d=6D71091
>> 9-1BA...
>>
>> http://www.microsoft.com/downloads/details.aspx?familyid=AE2 79D01-7DC
>> ...
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>>> We have 7-8 forests in Asia region different countries (some are
>>> single domain forests) in WAN and fair charce of expansions. At the
>>> moment no trust relation between them. Europe head office hasforest
>>> and there have trust relations between other Europe regions. if we
>>> want to make a trust relationship with Europe and Asia , Can we
>>> create
>>> aforestontopof all the Asia regional forests (example 'Asia
>>> Forest') like a Asiaforestcontroller,add/trust relation all the Asia
>>> regionalforestto this and make trust relationship with Europe
>>> Forest. The reason instead of adding every Asia regionalforestone by
>>> one to Europe we want to control Asia in oneforest.
>>> Technically is this possible ?
Re: Top Forest controller for existing multiple Forest. [message #301848 is a reply to message #301547] Thu, 29 October 2009 06:24 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
You have mentioned to several folks the response to Ace, I don't see this.
Did you post in another NewsGroup?

If you have 7 to 8 forests the migration of these into a single forest would
be great from a management point of view but some government agencies won't
allow this. Plus you have to worry about security boundaries (Security
boundaries exist at the forest level not the domain level) and password
policies, so tread slowly before you move to a single forest.

I don't know what value it would be to create another forest? I think the
way you would be able to get the most help from the group is to define what
your goals are, the limitations that you are under, timeline and the staff
available to assist you.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Rush" <rasikaf@gmail.com> wrote in message
news:f224bc22-3079-4ad6-85de-9e6435f63587@b25g2000prb.googlegroups.com...
> We have 7-8 forests in Asia region different countries (some are
> single domain forests) in WAN and fair charce of expansions. At the
> moment no trust relation between them. Europe head office has forest
> and there have trust relations between other Europe regions. if we
> want to make a trust relationship with Europe and Asia , Can we create
> a forest on top of all the Asia regional forests (example 'Asia
> Forest') like a Asia forest controller,add/trust relation all the Asia
> regional forest to this and make trust relationship with Europe
> Forest. The reason instead of adding every Asia regional forest one by
> one to Europe we want to control Asia in one forest.
> Technically is this possible ?
>
>
Re: Top Forest controller for existing multiple Forest. [message #302149 is a reply to message #301748] Thu, 29 October 2009 10:50 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
> On Oct 29, 4:00 pm, "Florian Frommherz [MVP]"
> <flor...@frickelsoft.net> wrote:
>> Howdie!
>>
>> Rush wrote:
>>> We have 7-8 forests in Asia region different countries (some are
>>> single domain forests) in WAN and fair charce of expansions. At the
>>> moment no trust relation between them.  Europe head office hasforest
>>> and there have trust relations between other Europe regions. if we
>>> want to make a trust relationship with Europe and Asia , Can we create
>>> aforestontopof all the Asia regional forests (example 'Asia
>>> Forest') like a Asiaforestcontroller,add/trust relation all the Asia
>>> regionalforestto this  and make trust relationship with Europe
>>> Forest. The reason instead of adding every Asia regionalforestone by
>>> one to Europe we want to control Asia in oneforest.
>>> Technically is this possible ?
>>
>> I concur with Ace here. While your current primary goal is to have
>> trusts between your forests, I would go a step further and try to
>> consolidate as much forests and domains into a singleforestas I could.
>> It is not just about the trusts but you lessen the pain of complexity
>> such a infrastructure brings.
>>
>> Cheers,
>> Florian
>
> I also agree infrastructure wise that the best scenario we can
> achieve. but there some other things wont allow for that scenario, as
> I detailed with ACE . Anyway Thank you, please check the answer and
> suggestion i ask from ACE, if you can tell me what is you r opinion
> about it ,im verry happy to hear.

Hello Rush,

I did not see a response to my post. Did you post a response?

Ace

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Top Forest controller for existing multiple Forest. [message #302728 is a reply to message #301848] Thu, 29 October 2009 20:23 Go to previous messageGo to next message
Rush  is currently offline Rush  Japan
Messages: 9
Registered: October 2009
Junior Member
Dear Paul

Thank you very much for the answer,
the value of creating new forest is binding new forest which can apper
after the merge and make things easier sharing resuoce among the Asia
and the europe.

I agree with you comments regarding group help. i ll be more specifc




On Oct 29, 9:24 pm, "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com>
wrote:
> You have mentioned to several folks the response to Ace, I don't see this..
> Did you post in another NewsGroup?
>
> If you have 7 to 8 forests the migration of these into a singleforestwould
> be great from a management point of view but some government agencies won't
> allow this.  Plus you have to worry about security boundaries (Security
> boundaries exist at theforestlevel not the domain level) and password
> policies, so tread slowly before you move to a singleforest.
>
> I don't know what value it would be to create anotherforest?  I think the
> way you would be able to get the most help from the group is to define what
> your goals are, the limitations that you are under, timeline and the staff
> available to assist you.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Rush" <rasi...@gmail.com> wrote in message

>
> news:f224bc22-3079-4ad6-85de-9e6435f63587@b25g2000prb.googlegroups.com...
>
> > We have 7-8 forests in Asia region different countries (some are
> > single domain forests) in WAN and fair charce of expansions. At the
> > moment no trust relation between them.  Europe head office hasforest
> > and there have trust relations between other Europe regions. if we
> > want to make a trust relationship with Europe and Asia , Can we create
> > aforestontopof all the Asia regional forests (example 'Asia
> >Forest') like a Asiaforestcontroller,add/trust relation all the Asia
> > regionalforestto this  and make trust relationship with Europe
> >Forest. The reason instead of adding every Asia regionalforestone by
> > one to Europe we want to control Asia in oneforest.
> > Technically is this possible ?
Re: Top Forest controller for existing multiple Forest. [message #302869 is a reply to message #302149] Fri, 30 October 2009 01:06 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Hey!

Ace Fekay [MCT] wrote:
> I did not see a response to my post. Did you post a response?

I didn't get it either. First thought the error was on my end..

Florian
Re: Top Forest controller for existing multiple Forest. [message #303085 is a reply to message #302869] Fri, 30 October 2009 07:32 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
news:ubUOC%23SWKHA.4704@TK2MSFTNGP06.phx.gbl...
> Hey!
>
> Ace Fekay [MCT] wrote:
>> I did not see a response to my post. Did you post a response?
>
> I didn't get it either. First thought the error was on my end..
>
> Florian


Possibly just a mis-print and meant something else. :-)

Ace
Previous Topic:Update Services not going to local server
Next Topic:Need Help in GroupPolicy Settings
Goto Forum:
  


Current Time: Tue Jan 16 10:40:25 MST 2018

Total time taken to generate the page: 0.03809 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software