Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory Design with Child domain authenticating to Parent Domain

Posted on 2007-03-20
7
Medium Priority
?
1,100 Views
Last Modified: 2012-05-05
We are designing Active Directory and had some questions pertaining to authentication and child domains.

Here is the synopsis:

One parent domain, in its own subnet, with one DC
Four child domains, in their own subnets, with their own respective DC.
One DHCP server residing in the parent domain with scopes defined for all 5 subnets and an "IP Helper Address", with the DHCP server's IP address, defined on the Routers Child domain interface.
All five subnets are seperated by routers with Fast Ethernet interfaces (e.g. fa0/0 & fa0/1).

If a "Child Domain's DC" goes offline in any of the child subnets:
1. Can servers & workstations, in the child domain, authenticate with the parent domains DC without any manual intervention by IT Staff?
2. What ports need to be enabled on the routers fa0/0 & fa0/1 interfaces if Number 1 is true?
3. What other issues such as DNS & DHCP might be at risk in this scenario if Number 1 is true?

Thank you,

Tom
0
Comment
Question by:mcit0331
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18756115
Techicaly users are the one being authenticated. If DC for domain is not available, you can not authenticate, but you might still logon with cached credentials. User from child domain can't authenticate on DC in root domain. So the answer to your first question is: No!

HTH

Toni
0
 
LVL 13

Expert Comment

by:strongline
ID: 18758096
below is  just my thought, comments are welcome.

Cached logon will certainly work if a computer is unplug from the corp network, but whether it will be triggered when it's plugged into the network while DC is offline is yet to be tested.

windows clients records it's dns suffix when it last got GPO applied
to determine if it's connected to domain, it compares its current active dns suffixes to what is recorded. if it matches, that it considers itself being connected to a managed network (aka domain)

regardless, the answer to Tom's question will be the same, thought. Parent DC will never authenticate child domain users.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18760131
Often we come across the implementation of chilfd domains where they are not needed, are you certain that you need 4 child domain> thats pretty serious configuration and unless specifically required, you could make life a lot easier by having a single domain with 5 sites
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:mcit0331
ID: 18836453
Hello Jay_Jay70,

Thank you very much for your input.

A Single domain with separate sites, as you mentioned, for the "former" domains was the other option that we were tossing around. However our concern is to keep the other sites/"old domains" from browsing each other's resources such as network printers, shares, accounting servers, etc. and 1 parent domain and 4 child domains satisfied this security requirement as it represented a security boundary.

We know we can inhibit access to these resources with the proper setting of NTFS permissions and ABE "Access Based Enumeration" but what else can you recommend to prevent users from snooping around the other sites?

However, here is the fly in the ointment. Some of our Legacy software, and yes what have already complained to their developers, needs the "Everyone Group" to have "Full Access". Once again and even more important need to prevent users from snooping.

I would love to flatten our hierarchy and make IT's life easier without child domains and fewer servers what can we do?

- Tom
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18855717
I understand your predicament in light of that info i think you have probably made the right decision.

However, for the sake of it lets take a look at

a) what is it you are trying to stop your users looking at? In reality a simple set of NTFS permissions with some group configuration based on a "per" site configu, should pretty much be able to knock out snooping....

b) Your legacy appz that require the everyone group.....fine, lets segment those appz into a folder that can be open to everyone - doing that allows access for the app but also allows us to start locking down all other areas

Are these ideas feasible or are we fighting a futile battle?

James
0
 

Author Comment

by:mcit0331
ID: 18866115
James,

I am focusing on item a) above dealing with [NTFS permissions with some group configuration based on a "per" site config].

Our intention is to create a separate site and OU for each "Old Domain" to segment each OU/Site from each other and  move users, workstations, & member servers into their respective OU/Former Domain.

Are you saying that I can create an ACL, similair to a Cisco Router, within each site's properties to explicitly deny the other OU's users.

- Tom
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 1000 total points
ID: 18868450
not exactly, i was thinking more along the lines of a single group for eash site...say all members of site a belong to group siteA   ..in site A you configure you permissions using the SiteA group and thats it...Site B has a similar config and so do sites C and D
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question