Announcement

Collapse
No announcement yet.

AD Multi Domain design

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Multi Domain design

    My company is currently expanding it's AD structure to contain two domains in two different locations. The purpose of which is to allow different password policy's and more autonomous administration.
    However some users will need to be able to move between domains (physically using laptops) and login with the same user in both domains also the Enterprise admin must be able to complete all administrative task for either locations (since he can only be at one place at a time )

    So my questions are:
    1) should we go for child domain or new domain tree (when do you choose one over the other)?

    2) Also the locations will be connected using vpn though one of the locations has a dynamic ip, will this be a problem and could it cause replication to fail?

    3) finally will it be enough to add rootdomain\user1 to the Enterprise admins group for him to be able to login as childdomain\user1 using the same SID or GUID if you will.

  • #2
    Re: AD Multi Domain design

    Originally posted by Anderso View Post
    So my questions are:
    1) should we go for child domain or new domain tree (when do you choose one over the other)?
    This doesn't matter too much because you can delegate control to any user throughout the forest.

    2) Also the locations will be connected using vpn though one of the locations has a dynamic ip, will this be a problem and could it cause replication to fail?
    It really depends on what you're using to establish the tunnel. If the tunnel goes down it will create problems, if it stays connected it should be fine.

    3) finally will it be enough to add rootdomain\user1 to the Enterprise admins group for him to be able to login as childdomain\user1 using the same SID or GUID if you will.
    Each user will logon using it's domain credentials. You are able to access other domains (through trust relationships) if you have been given permissions to do so. You can use a uniform method for logon by specifying a UPN suffix that all domains will use.... but maybe that's not what you're looking for.
    Some reading: http://www.microsoft.com/technet/pro.../fedffin2.mspx
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment

    Working...
    X