Solved

Domain Dilema

Posted on 2007-11-22
12
258 Views
Last Modified: 2010-04-21
Morning Guys, hope you can help.

We have just taken over a company in North America they have no domain structure, no
Exchange server etc and have about 15 offices spread across Canada and US.

We in the UK have 12 offices connected by a MPLS system (VPN) in a single
Windows 2003 domain called ABC.local. (Forest root domain)

We have 6 exchange servers with domain controllers at each office.
We are going to implement a domain in North America with exchange servers etc.

From the UK we want to admin both domains, but North America needs only to admin
Its domain.

We need to share Exchange GAL's and possibly other resources. Also the entire company will use the email address @abc.com

My main question is do we make the North American domain a sub domain of abc.local
Say ABCNA.local?

Do we create a separate domains and setup trusts?

I think in the idea word we would have the ABC.local forest root and then 2 regional domains of NAABC.local and UKABC.local unfortunately all objects exchange servers etc are in the abc.local root domain.

Not sure which ids the bet way to proceed, earlier posts recommend adding NA to abc.local domain.

Any ideas would be greatly appreciated

Thanks

0
Comment
Question by:georgestark
12 Comments
 
LVL 1

Expert Comment

by:partymarty84
Comment Utility
If you require different security policies between NA and UK then have a subdomain.

Otherwise keep them in the domain and create sites and control replication this way.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
You say that North America should only be able to manage their own domain. Therefore, I would say you should go for a subdomain of your main domain, keeping all your UK objects in the root domain and having the NA domain branching off. Therefore, as an admin in the root domain you can manage both the root and sub-domain.

-tigermatt
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
Take a look here first
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22929412.html?cid=236#a20192401

I discussed this situation previously....What you need to figure out first is business lines, whilst AD is a technical Tool, it is also designed to be built around your business lines.....

So, once you have checked that link, and can give me an idea of how your company will be sitting, i can share some ideas....most of the time a Single AD is the way to go with OU management, and delegation of control supplied

James
0
 
LVL 3

Author Comment

by:georgestark
Comment Utility
Guys
Thanks for your response
Jay that was my original post I have updated it with some extra info, your prevouis answer were great but the NA IT manager is concerned about permissions on domain controllers and exchange servers etc.
can we move DC's and Exchange servers users computers into a NA OU, create  account say NAAdmin grant that account full access for that OU only. cant see it with Servers.
exchange organization global settings and reciepients, DC replicate to other DC,s
Hope this makes sense.

If we did go for a child domain would we still get one exchange organization we need this as we have one email address

Thanks in advance

George
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
Oh Hey mate i didnt even realise this was you - my apologies :)

i dont like the idea of moving DC's out of their root container, however it can be done...you have to be quite careful what you do with them policy wise....but yes, moving them into different OU's and granting access that way is an ok way to secure them....

As for child domain, yes, you can still have single organisation
0
 
LVL 3

Author Comment

by:georgestark
Comment Utility
Thanks Jay
Food for thought, i think we would like to add NA to our domain but the question of seperste IT departments and security is a issue not for us in the UK as we control all the doamin but the NA ITdepartment are a concern. it woul be nice to keep the abc.local domain for everyone instead of having a abc.local for the UK and NAabc.local for NA. the only thing we need to definatly keep is the single exchange organization as both UK and NA will be using the @abc.com email address.

again thanks for all your help on this and any further comment woud be appreciated.

George
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
I still think your best bet is to use the delegation of control wizard on an OU...

This way you keep ABC.LOCAL as the single domain, and admins in the NA branch only have access to what you give them through the wizard, on the OU you specify...Maybe i am missing something here??

Cheers Bud
0
 
LVL 3

Author Comment

by:georgestark
Comment Utility
Jay
those are my thought exactly, the problem i sm thinking of is it NA IT make a chnage to say permissions on a Dc it will replicate to all servers. also because of the time zones NA IT need access to diagnose or fix issues.
i hope this makes sense.

Georgestark
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
i wouldnt be letting them near the DC's...servers yes....but give them the adminpak and let them access just their OU's...problem solved.....create an emergency account for them if they need it to access DC's where you cant
0
 
LVL 3

Author Comment

by:georgestark
Comment Utility
Jay
thi sgets worse.
My boss wans to create 2 new sub domains UK.abc.local and NA.abc.local.
we then move all objects, servers, exchange servers from the root domain abc.local into the uk.abc.local leaving abc.local empty i dont know if this is even possible. we then have all exchage servers NAS servers Dc's OU's etc in the new subdomain and add servers where needed in the NA domain.

would this work?

Again your comments would be appreciated.

Warren
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
Comment Utility
sure it would work, it will be a good fun migration that is going to be expensive, risky and painful, but yes it will work, the root domain structure is actually very cool having it empty...but its a waste of hardware in my opinion (i was faced with this same challenge so i have looked at it all before)

If your boss is going to be stubborn and is over cautious, then he is going to bite himself.....he needs to really take a look at his concerns and justify them..,.he is making a simple, easy task into a huge mess....for absolutely no reason......

I can tell you straight off the bat, you guys dont need child domains, its simply a waste f time and effort :) but you know this already, its your boss we need to talk to :)
0
 
LVL 3

Author Closing Comment

by:georgestark
Comment Utility
Jay

Sorry for the long delay, this project is still on hold at the moment, I will re-address this when the time comes.

Again thanks for all your help on this.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now