Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Dilema

Posted on 2007-11-22
12
Medium Priority
?
302 Views
Last Modified: 2010-04-21
Morning Guys, hope you can help.

We have just taken over a company in North America they have no domain structure, no
Exchange server etc and have about 15 offices spread across Canada and US.

We in the UK have 12 offices connected by a MPLS system (VPN) in a single
Windows 2003 domain called ABC.local. (Forest root domain)

We have 6 exchange servers with domain controllers at each office.
We are going to implement a domain in North America with exchange servers etc.

From the UK we want to admin both domains, but North America needs only to admin
Its domain.

We need to share Exchange GAL's and possibly other resources. Also the entire company will use the email address @abc.com

My main question is do we make the North American domain a sub domain of abc.local
Say ABCNA.local?

Do we create a separate domains and setup trusts?

I think in the idea word we would have the ABC.local forest root and then 2 regional domains of NAABC.local and UKABC.local unfortunately all objects exchange servers etc are in the abc.local root domain.

Not sure which ids the bet way to proceed, earlier posts recommend adding NA to abc.local domain.

Any ideas would be greatly appreciated

Thanks

0
Comment
Question by:georgestark
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 1

Expert Comment

by:partymarty84
ID: 20333877
If you require different security policies between NA and UK then have a subdomain.

Otherwise keep them in the domain and create sites and control replication this way.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20335137
You say that North America should only be able to manage their own domain. Therefore, I would say you should go for a subdomain of your main domain, keeping all your UK objects in the root domain and having the NA domain branching off. Therefore, as an admin in the root domain you can manage both the root and sub-domain.

-tigermatt
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20336471
Take a look here first
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22929412.html?cid=236#a20192401

I discussed this situation previously....What you need to figure out first is business lines, whilst AD is a technical Tool, it is also designed to be built around your business lines.....

So, once you have checked that link, and can give me an idea of how your company will be sitting, i can share some ideas....most of the time a Single AD is the way to go with OU management, and delegation of control supplied

James
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Author Comment

by:georgestark
ID: 20337855
Guys
Thanks for your response
Jay that was my original post I have updated it with some extra info, your prevouis answer were great but the NA IT manager is concerned about permissions on domain controllers and exchange servers etc.
can we move DC's and Exchange servers users computers into a NA OU, create  account say NAAdmin grant that account full access for that OU only. cant see it with Servers.
exchange organization global settings and reciepients, DC replicate to other DC,s
Hope this makes sense.

If we did go for a child domain would we still get one exchange organization we need this as we have one email address

Thanks in advance

George
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20338432
Oh Hey mate i didnt even realise this was you - my apologies :)

i dont like the idea of moving DC's out of their root container, however it can be done...you have to be quite careful what you do with them policy wise....but yes, moving them into different OU's and granting access that way is an ok way to secure them....

As for child domain, yes, you can still have single organisation
0
 
LVL 3

Author Comment

by:georgestark
ID: 20338478
Thanks Jay
Food for thought, i think we would like to add NA to our domain but the question of seperste IT departments and security is a issue not for us in the UK as we control all the doamin but the NA ITdepartment are a concern. it woul be nice to keep the abc.local domain for everyone instead of having a abc.local for the UK and NAabc.local for NA. the only thing we need to definatly keep is the single exchange organization as both UK and NA will be using the @abc.com email address.

again thanks for all your help on this and any further comment woud be appreciated.

George
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20338850
I still think your best bet is to use the delegation of control wizard on an OU...

This way you keep ABC.LOCAL as the single domain, and admins in the NA branch only have access to what you give them through the wizard, on the OU you specify...Maybe i am missing something here??

Cheers Bud
0
 
LVL 3

Author Comment

by:georgestark
ID: 20339257
Jay
those are my thought exactly, the problem i sm thinking of is it NA IT make a chnage to say permissions on a Dc it will replicate to all servers. also because of the time zones NA IT need access to diagnose or fix issues.
i hope this makes sense.

Georgestark
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20348437
i wouldnt be letting them near the DC's...servers yes....but give them the adminpak and let them access just their OU's...problem solved.....create an emergency account for them if they need it to access DC's where you cant
0
 
LVL 3

Author Comment

by:georgestark
ID: 20356708
Jay
thi sgets worse.
My boss wans to create 2 new sub domains UK.abc.local and NA.abc.local.
we then move all objects, servers, exchange servers from the root domain abc.local into the uk.abc.local leaving abc.local empty i dont know if this is even possible. we then have all exchage servers NAS servers Dc's OU's etc in the new subdomain and add servers where needed in the NA domain.

would this work?

Again your comments would be appreciated.

Warren
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 2000 total points
ID: 20362516
sure it would work, it will be a good fun migration that is going to be expensive, risky and painful, but yes it will work, the root domain structure is actually very cool having it empty...but its a waste of hardware in my opinion (i was faced with this same challenge so i have looked at it all before)

If your boss is going to be stubborn and is over cautious, then he is going to bite himself.....he needs to really take a look at his concerns and justify them..,.he is making a simple, easy task into a huge mess....for absolutely no reason......

I can tell you straight off the bat, you guys dont need child domains, its simply a waste f time and effort :) but you know this already, its your boss we need to talk to :)
0
 
LVL 3

Author Closing Comment

by:georgestark
ID: 31410550
Jay

Sorry for the long delay, this project is still on hold at the moment, I will re-address this when the time comes.

Again thanks for all your help on this.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question