Announcement

Collapse
No announcement yet.

Steps in performing AD trust between parent company and site offices ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Steps in performing AD trust between parent company and site offices ?

    People,

    I'd like to know what are the steps and the caveats in setting up the AD domain trust between my parent company AD domain and more than 20+ site offices that has their own Active Directory domain ?

    Background: My parent company bought around 20+ office building in multiple different geographical locations and each of those building runs their own AD domain. Since the hardware and IT infrastructure on each of those sites belongs to their own, we do not want to double the work to do:

    Join the domain: Import all AD domain objects to our parent company AD domain
    When the site office is decommissioned or bought by another company: Recreate all AD domain and then re-export the AD domain objects so that they can still run their business with their new owner.

    I'm open to any suggestion as well of what is the best way to approach the situation above.

    Thanks

  • #2
    Re: Steps in performing AD trust between parent company and site offices ?

    How often are you likely to sell one of the remote sites?
    Do they need separate IT management or do you do it for them?

    The simplest long term solution is to have a single domain environment, failing which multiple child domains in the same forest. If you have to go for inter-forest trusts, you have a lot of work ahead of you
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Steps in performing AD trust between parent company and site offices ?

      Originally posted by Ossian View Post
      How often are you likely to sell one of the remote sites?
      Do they need separate IT management or do you do it for them?

      The simplest long term solution is to have a single domain environment, failing which multiple child domains in the same forest. If you have to go for inter-forest trusts, you have a lot of work ahead of you
      Well, usually around one site office every 2 or 3 years if the business is not that good on the region.

      At the moment, there is outsourced 3rd party service provider on each sites to handle the hardware replacement and simple AD maintenance such as adding new DNS entry.

      The Exchange Server is not problem since I already created Terminal Server for the users of each site office to use email service.

      I just being told by the management that they don't want to spend too many times to undo the AD setup to make them running separately.

      What sort of Inter-Forest trust that I will need to be aware of after "trusting" each of those AD domain with my AD domain in the parent company ?

      Comment


      • #4
        Re: Steps in performing AD trust between parent company and site offices ?

        Each office is a separate AD forest, so if all you need is access to and from the central site, you will need one trust per office.

        If they need to also see each other, the number of trusts increases so for n offices, you will have n(n-1) trusts - remembering each has to be set up in each direction
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Steps in performing AD trust between parent company and site offices ?

          Originally posted by Ossian View Post
          Each office is a separate AD forest, so if all you need is access to and from the central site, you will need one trust per office.

          If they need to also see each other, the number of trusts increases so for n offices, you will have n(n-1) trusts - remembering each has to be set up in each direction
          Ah I see, So i have to go to the parentcompanyAD.com dimainkan controller and the set the two way trust from the AD sites and Trust console ?

          My goal in this exercise is to be able to simplify the site office user to use ParentCompanyAD.com\user account to login to their workstation.

          So I no need to reconfigure the AD domain membership of the workstation and the servers.

          Is that achievable after setting the trust from the parent company AD domain controller ?

          Comment


          • #6
            Re: Steps in performing AD trust between parent company and site offices ?

            Suggest you read up on trusts before starting anything as trusts between forests are more complex than just logon accounts, but I still think the simplest solution in the long run will be a single forest, with or without multiple child domains
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Steps in performing AD trust between parent company and site offices ?

              First let me say, many consultants can spend a career doing what you are contemplating. Personally, I've been focused almost exclusively on the the migration and/or consolidation of user identities, resources and their access to them for about the last five years. The absolute key to surviving this challenge politically, within available budget and your sanity will rest solely on correctly defining the requirements and architecting the infrastructure that can provide the level of service that has likely already been promised all while keeping your management realistic about what services you will provide and constantly reminding them you proposed 2 or 3 solutions where you had outlined the Pro's and Con's of each.

              First, I'd be remiss if I didn't say that Quest Migration Manager for AD and QMM for Exchange are the industry standard for this work. Dell has recently purchased them from Quest, but either way, the licensing is reasonable in price, but their bread and butter is selling you their Proffessional Services. No matter what route you take, if you attempt to use QMM in house, at least buy some hours of (or fly me out to, where are you, Australia) j/k

              Moving on, it sounds like these satalite sites have a relatively small number of users? How do you feel about just building a RODC per site and use powershell to batch create user accounts? Or didn't you mention you had accounts for them on your Exchange server? You could use you domain as a resource Forest and set up a one way trust and give their current domain users access to their new mailbox.

              What is you network like? AD Sites & Services should be a virtual representation of your actual network. If multiple site all connect via MPLS let's say, then there should be site links from each Site to every other site just like a mesh, then let's say you have a few sites that are point to point like a hub and spokes, those be should be represented as they are weighting slower links as slower, basically just ADSS is an actual representation of your physical network.

              What sort of resources do these companies bring with them? If it's just AD, Exec and desktop apps, I say just rip and replace. If they have other variables like SQL servers you have to hand migrate (script) giving their new corporate accounts access to what their old AD account had, but most server functions, such as a simple file sever using NTFS permissions, then you can use sIDHistory and they and they won't miss a beat accessing their files (note: you have to run a command to allow sIDHistory to pass through the trust as that LDAP field is blocked by default,) but watch out for shares that use Built-In groups like "Domain Users" to give access to sensitive files, worst case scenario they use a product like Symantec Vault as part of their email dedup, retension, quota, etc. workflow and you use a totally different product because there is just no easy way to get that email out and into another. Them there's webservers, IP address schemes, NAT'ing, web proxy's, firewalls, VOIP and last but not least, my personal favorite...

              When VP or another high up in the company that was purchased has the login name "jsmith" just like your boss who works for the 'buying' company and you get to tell them that for compliance reasons they both have to get a new logon/email address

              Now I'm just rambling, sorry about that, oh one last thing, you can make trusts transitive or non-transitive. You can create less trusts by letting one Forest act as a sort of 'proxy' truster for another Forest, but I wouldn't normally go that route.

              Good Luck!
              Regards,
              Jobie.
              Last edited by jobiegermano; 15th February 2015, 18:04.

              Comment


              • #8
                Re: Steps in performing AD trust between parent company and site offices ?

                Thanks all for the insight and comments regarding my question.

                My manager has decided that we go with the establishing AD trust on multiple Site Office sites because those sites will be managed by 3rd party IT service provider for the rural area.

                Comment


                • #9
                  Re: Steps in performing AD trust between parent company and site offices ?

                  Your manager isn't called Captain Tony is he Albert? You do the research and then he heads off on his own course........

                  Don't answer for fear of being discovered for answering an intended humorous remark. It got one of our Highly regarded members sacked several years ago (well that was their reason); the twats.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    Re: Steps in performing AD trust between parent company and site offices ?

                    Originally posted by biggles77 View Post
                    Your manager isn't called Captain Tony is he Albert? You do the research and then he heads off on his own course........

                    Don't answer for fear of being discovered for answering an intended humorous remark. It got one of our Highly regarded members sacked several years ago (well that was their reason); the twats.
                    Lol, luckilly no. I don't work for the 'Straya Govt

                    That's what the management decision, then... so be it, ebcause he's the decison maker.

                    Comment

                    Working...
                    X