Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


setting up a multi-domain network

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
We have a client running server 2003 network (also running exchange).

We are adding a new location (and new domain) to the network and I am wondering what is the best way to set this up;

Each location will have a seperate domain name (mostly for email purposes) but will need to share files and users will need access to email from both domains - for this we will obviously install a VPN.

The basic scenario will be that users from each domain will be set up with a local folder (for data) and an email address that corresponds to their domain. But they will each need access to files at both locations and also we will probably give each site access to the other sites email via outlook web access.

I have been reading up on cross domain trusts etc, is this the best way to go? I take it that as far as file sharing goes, a domain trust will solve that problem. ut what hapens with email - will users at one site be able to automatically authenticate to email at the other site through OWA?

Or is there an alternate solution?

Question by:davids355
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 12

Accepted Solution

nealerocks earned 1000 total points
ID: 24138705
Do you really need separate domains? This adds so much admin overhead. Is it only because of email? You can have multiple domains in exchange and you won't need to create multiple windows domains.
You should add domains as a last option because you will have separate FSMO roles for each domain, plus separate domain admins and security groups for each domain.
Forest trusts will allow authentication between different domains and you can authenticate using OWA simply by using the syntax domain\username.

But if at all possible i would avoid having multiple domains.....
LVL 58

Assisted Solution

tigermatt earned 1000 total points
ID: 24138721

You don't need any form of domain trusts. For each location, simply install DCs which are members of your present Active Directory domain. You can then configure Active Directory Sites and Services such that the servers are separated into separate sites (based on the geographic location) and are linked to the proper subnets.

Exchange can then be configured to give different groups of users different email address domains.

Anyone who says the Active Directory domain must match your Exchange email domain has been misinformed; best practice is to have one Active Directory domain, and simply add addresses via a Recipient Policy/Email Address Policy (for Exchange 2003/2007) to different groups of users.


Author Comment

ID: 24139086
Thanks for the quick reply! I know email is not an issue, and I know you can easily add a different domain to the recipient policy so that you can receive/send mail from that domain also.

Just really wanted to know the correct way to do this. If you would recommend sticking to the one domain then I will do that. The only issue I would have then is that if employees had an email address for both domains I would still have to make them two seperate AD accounts in order for them to be able to send and receive emails properly from both addresses wouldnt I?

And the only other thing I am concerned about is redundancy - I have two sites, 1 domain and presumably 1 exchange server, that would mean Site B would be heavily reliant on site A (as that is where the exchange server would be running), does that matter?

Lastly, if I am running outlook from site B and connecting to the exchange server at site A (via the VPN) will there be any speed issues? IE how does exchange generally run over VPN and a BT broadband connection?

Basically, I am happy to do it the way you suggest if that is the generally accepted way of doing things??

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Expert Comment

ID: 24139171
The Microsoft best-practise is to avoid multiple domains unless you really need them. If you want users to be able to send from two different accounts they should be able to use the "from" field in outlook. Accessing Exchange over a VPN really depends on the size of the link. You may need to conside OWA if the link is not fast enough. As for redundancy you should aim to have two domain controllers, if you can.

Author Comment

ID: 24139334
Yea we sort of had that setup with the from field, the only issue is that you cant have different signatures for different users/domains. But I am also looking at Exclaimer or Policy Patrol to handle that.

LVL 12

Expert Comment

ID: 24139361
If you have two different signatures configured you can right-click on your signature and quickly switch it for the other one. Not a perfect solution but can sometimes help.
LVL 58

Expert Comment

ID: 24140381

Microsoft recommendations are to have one domain, until the company grows so large that you are forced to spread into separate domains. By "large", they generally mean several thousand employees. However, a single domain could still handle that many users; the general requirement for spreading into a second domain would be for business structural reasons, for example, separating thousands of field workers from thousands of office staff.

Unless you have thousands of users which work in separate business units, a single domain with multiple Active Directory sites would be most suitable.

For employees to send as one of two company email domains, they will need duplicate accounts. They will also need the appropriate permissions assigned. This is a slight overhead, but nevertheless, a very easy one to overcome.

You could locate a second Exchange Server in Site B, and use either Exchange 2007's CCR clustering (requires Exchange Enterprise and Windows Enterprise), or install two Exchange Servers and use third-party clustering/failover software such as DoubleTake. This would give you a lot of resilience in Exchange. You would also obviously require multiple DCs promoted for Active Directory resilience.

You should have a box-to-box (hardware-based) site-to-site VPN from site A to site B and vice-versa. It ultimately depends on the speed of the internet lines at each site, and how many users/how much traffic will be passing over the line. If you have a number of medium- to heavy-demand users at Site B, your best option would be a second Exchange Server in Site B which that site's users connect directly to locally.

I can assure you this configuration is per best practices.


Author Closing Comment

ID: 31569927
thanks guys

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question