Solved

Active Directory Design with Child domain authenticating to Parent Domain

Posted on 2007-03-20
7
1,082 Views
Last Modified: 2012-05-05
We are designing Active Directory and had some questions pertaining to authentication and child domains.

Here is the synopsis:

One parent domain, in its own subnet, with one DC
Four child domains, in their own subnets, with their own respective DC.
One DHCP server residing in the parent domain with scopes defined for all 5 subnets and an "IP Helper Address", with the DHCP server's IP address, defined on the Routers Child domain interface.
All five subnets are seperated by routers with Fast Ethernet interfaces (e.g. fa0/0 & fa0/1).

If a "Child Domain's DC" goes offline in any of the child subnets:
1. Can servers & workstations, in the child domain, authenticate with the parent domains DC without any manual intervention by IT Staff?
2. What ports need to be enabled on the routers fa0/0 & fa0/1 interfaces if Number 1 is true?
3. What other issues such as DNS & DHCP might be at risk in this scenario if Number 1 is true?

Thank you,

Tom
0
Comment
Question by:mcit0331
7 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18756115
Techicaly users are the one being authenticated. If DC for domain is not available, you can not authenticate, but you might still logon with cached credentials. User from child domain can't authenticate on DC in root domain. So the answer to your first question is: No!

HTH

Toni
0
 
LVL 13

Expert Comment

by:strongline
ID: 18758096
below is  just my thought, comments are welcome.

Cached logon will certainly work if a computer is unplug from the corp network, but whether it will be triggered when it's plugged into the network while DC is offline is yet to be tested.

windows clients records it's dns suffix when it last got GPO applied
to determine if it's connected to domain, it compares its current active dns suffixes to what is recorded. if it matches, that it considers itself being connected to a managed network (aka domain)

regardless, the answer to Tom's question will be the same, thought. Parent DC will never authenticate child domain users.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18760131
Often we come across the implementation of chilfd domains where they are not needed, are you certain that you need 4 child domain> thats pretty serious configuration and unless specifically required, you could make life a lot easier by having a single domain with 5 sites
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:mcit0331
ID: 18836453
Hello Jay_Jay70,

Thank you very much for your input.

A Single domain with separate sites, as you mentioned, for the "former" domains was the other option that we were tossing around. However our concern is to keep the other sites/"old domains" from browsing each other's resources such as network printers, shares, accounting servers, etc. and 1 parent domain and 4 child domains satisfied this security requirement as it represented a security boundary.

We know we can inhibit access to these resources with the proper setting of NTFS permissions and ABE "Access Based Enumeration" but what else can you recommend to prevent users from snooping around the other sites?

However, here is the fly in the ointment. Some of our Legacy software, and yes what have already complained to their developers, needs the "Everyone Group" to have "Full Access". Once again and even more important need to prevent users from snooping.

I would love to flatten our hierarchy and make IT's life easier without child domains and fewer servers what can we do?

- Tom
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18855717
I understand your predicament in light of that info i think you have probably made the right decision.

However, for the sake of it lets take a look at

a) what is it you are trying to stop your users looking at? In reality a simple set of NTFS permissions with some group configuration based on a "per" site configu, should pretty much be able to knock out snooping....

b) Your legacy appz that require the everyone group.....fine, lets segment those appz into a folder that can be open to everyone - doing that allows access for the app but also allows us to start locking down all other areas

Are these ideas feasible or are we fighting a futile battle?

James
0
 

Author Comment

by:mcit0331
ID: 18866115
James,

I am focusing on item a) above dealing with [NTFS permissions with some group configuration based on a "per" site config].

Our intention is to create a separate site and OU for each "Old Domain" to segment each OU/Site from each other and  move users, workstations, & member servers into their respective OU/Former Domain.

Are you saying that I can create an ACL, similair to a Cisco Router, within each site's properties to explicitly deny the other OU's users.

- Tom
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 250 total points
ID: 18868450
not exactly, i was thinking more along the lines of a single group for eash site...say all members of site a belong to group siteA   ..in site A you configure you permissions using the SiteA group and thats it...Site B has a similar config and so do sites C and D
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now