Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Segregating a group of PC's so a domain can't access them

Posted on 2004-09-27
7
Medium Priority
?
177 Views
Last Modified: 2010-04-13
We have all of our 2000 network running on one domain in one forest.  We still have an old NT domain running separate from the 2000 domain.  We want to move the NT domain to 2000, but we don't want anyone from the 2000 domain to be able to access the PC's from the NT domain.  The server in the NT domain runs some very critical plant software which we don't want anyone to be able to tamper with.  The PC's in the NT domain will need to use the email system in the 2000 domain.  What's the best way to accomplish moving the NT domain to 2000 but keeping it separate for security reasons?

Thanks in advance.
0
Comment
Question by:turtletrax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12159998
You could put the 2 networks on different subnet.. these 2 network would be isolated by a router.. using ACLs to completly block the communication between the 2...
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12160014
Network 1
PC1
PC2
------------
ROUTER
-----------
Network 2
PC 3
PC 4..etc..

With an ACL, you could give or remove access to certain IP addresses from 1 domain to the other.. or only give access to certain ports.. in fact, you can pretty much do anything you want..
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 12161010
Define "Access them".  Creating seperate networks as already suggested will work; however, from a security propective users from the 2000 domain can't access resources in the NT domain by default (unless they have the same username and password in both domains).

So, just having these two domains on the same network will not give users access to both domains.  If the administrators sets up identicle usernames and password in both domains; however, you will run into a problem.

Even if you setup a trust relationship between the two domains, users will not automatically be given rights to access the other domain (unless they are part of the administrators group and have already been given rights.)

Thank you,

Joe Poandl MCSE
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 4

Expert Comment

by:darth_wannabe
ID: 12161019
you can have only a one-way trust relationship set up, that way only the users from the NT domain can get the the 2000 domain, but not vice versa
0
 

Author Comment

by:turtletrax
ID: 12161123
Our plan is to eliminate the NT domain and move the computers into the 2000 domain.  Only the PC's from the NT domain need to access each other.  
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 2000 total points
ID: 12161208
Isolate them by a router... that way you'll be sure that there is no access between the networks.. or you can customize whatever access you want to provide..
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 12161230
You can safely setup a one way to two way trust.  As long as you don't give NTFS/SHARE level access from the remote domains, you will not have a problem.  To be safe though, you can setup a one way trust where the 2K domain trusts the NT domain.  

You will need to setup a trust anyway if you are going to use the ADMT (Active Directory Migration Utility) to perform the migration.

Thank you,

Joe Poandl MCSE


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question