Solved

setting up a multi-domain network

Posted on 2009-04-14
8
313 Views
Last Modified: 2012-05-06
We have a client running server 2003 network (also running exchange).

We are adding a new location (and new domain) to the network and I am wondering what is the best way to set this up;

Each location will have a seperate domain name (mostly for email purposes) but will need to share files and users will need access to email from both domains - for this we will obviously install a VPN.

The basic scenario will be that users from each domain will be set up with a local folder (for data) and an email address that corresponds to their domain. But they will each need access to files at both locations and also we will probably give each site access to the other sites email via outlook web access.

I have been reading up on cross domain trusts etc, is this the best way to go? I take it that as far as file sharing goes, a domain trust will solve that problem. ut what hapens with email - will users at one site be able to automatically authenticate to email at the other site through OWA?

Or is there an alternate solution?

0
Comment
Question by:davids355
  • 3
  • 3
  • 2
8 Comments
 
LVL 12

Accepted Solution

by:
nealerocks earned 250 total points
Comment Utility
Do you really need separate domains? This adds so much admin overhead. Is it only because of email? You can have multiple domains in exchange and you won't need to create multiple windows domains.
You should add domains as a last option because you will have separate FSMO roles for each domain, plus separate domain admins and security groups for each domain.
Forest trusts will allow authentication between different domains and you can authenticate using OWA simply by using the syntax domain\username.

But if at all possible i would avoid having multiple domains.....
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
Comment Utility

You don't need any form of domain trusts. For each location, simply install DCs which are members of your present Active Directory domain. You can then configure Active Directory Sites and Services such that the servers are separated into separate sites (based on the geographic location) and are linked to the proper subnets.

Exchange can then be configured to give different groups of users different email address domains.

Anyone who says the Active Directory domain must match your Exchange email domain has been misinformed; best practice is to have one Active Directory domain, and simply add addresses via a Recipient Policy/Email Address Policy (for Exchange 2003/2007) to different groups of users.

-Matt
0
 

Author Comment

by:davids355
Comment Utility
Thanks for the quick reply! I know email is not an issue, and I know you can easily add a different domain to the recipient policy so that you can receive/send mail from that domain also.

Just really wanted to know the correct way to do this. If you would recommend sticking to the one domain then I will do that. The only issue I would have then is that if employees had an email address for both domains I would still have to make them two seperate AD accounts in order for them to be able to send and receive emails properly from both addresses wouldnt I?

And the only other thing I am concerned about is redundancy - I have two sites, 1 domain and presumably 1 exchange server, that would mean Site B would be heavily reliant on site A (as that is where the exchange server would be running), does that matter?

Lastly, if I am running outlook from site B and connecting to the exchange server at site A (via the VPN) will there be any speed issues? IE how does exchange generally run over VPN and a BT broadband connection?

Basically, I am happy to do it the way you suggest if that is the generally accepted way of doing things??

0
 
LVL 12

Expert Comment

by:nealerocks
Comment Utility
The Microsoft best-practise is to avoid multiple domains unless you really need them. If you want users to be able to send from two different accounts they should be able to use the "from" field in outlook. Accessing Exchange over a VPN really depends on the size of the link. You may need to conside OWA if the link is not fast enough. As for redundancy you should aim to have two domain controllers, if you can.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:davids355
Comment Utility
Yea we sort of had that setup with the from field, the only issue is that you cant have different signatures for different users/domains. But I am also looking at Exclaimer or Policy Patrol to handle that.

0
 
LVL 12

Expert Comment

by:nealerocks
Comment Utility
If you have two different signatures configured you can right-click on your signature and quickly switch it for the other one. Not a perfect solution but can sometimes help.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Microsoft recommendations are to have one domain, until the company grows so large that you are forced to spread into separate domains. By "large", they generally mean several thousand employees. However, a single domain could still handle that many users; the general requirement for spreading into a second domain would be for business structural reasons, for example, separating thousands of field workers from thousands of office staff.

Unless you have thousands of users which work in separate business units, a single domain with multiple Active Directory sites would be most suitable.

For employees to send as one of two company email domains, they will need duplicate accounts. They will also need the appropriate permissions assigned. This is a slight overhead, but nevertheless, a very easy one to overcome.

You could locate a second Exchange Server in Site B, and use either Exchange 2007's CCR clustering (requires Exchange Enterprise and Windows Enterprise), or install two Exchange Servers and use third-party clustering/failover software such as DoubleTake. This would give you a lot of resilience in Exchange. You would also obviously require multiple DCs promoted for Active Directory resilience.

You should have a box-to-box (hardware-based) site-to-site VPN from site A to site B and vice-versa. It ultimately depends on the speed of the internet lines at each site, and how many users/how much traffic will be passing over the line. If you have a number of medium- to heavy-demand users at Site B, your best option would be a second Exchange Server in Site B which that site's users connect directly to locally.

I can assure you this configuration is per best practices.

-Matt
0
 

Author Closing Comment

by:davids355
Comment Utility
thanks guys
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now