setting up a multi-domain network

Posted on 2009-04-14
Last Modified: 2012-05-06
We have a client running server 2003 network (also running exchange).

We are adding a new location (and new domain) to the network and I am wondering what is the best way to set this up;

Each location will have a seperate domain name (mostly for email purposes) but will need to share files and users will need access to email from both domains - for this we will obviously install a VPN.

The basic scenario will be that users from each domain will be set up with a local folder (for data) and an email address that corresponds to their domain. But they will each need access to files at both locations and also we will probably give each site access to the other sites email via outlook web access.

I have been reading up on cross domain trusts etc, is this the best way to go? I take it that as far as file sharing goes, a domain trust will solve that problem. ut what hapens with email - will users at one site be able to automatically authenticate to email at the other site through OWA?

Or is there an alternate solution?

Question by:davids355
  • 3
  • 3
  • 2
LVL 12

Accepted Solution

nealerocks earned 250 total points
ID: 24138705
Do you really need separate domains? This adds so much admin overhead. Is it only because of email? You can have multiple domains in exchange and you won't need to create multiple windows domains.
You should add domains as a last option because you will have separate FSMO roles for each domain, plus separate domain admins and security groups for each domain.
Forest trusts will allow authentication between different domains and you can authenticate using OWA simply by using the syntax domain\username.

But if at all possible i would avoid having multiple domains.....
LVL 58

Assisted Solution

tigermatt earned 250 total points
ID: 24138721

You don't need any form of domain trusts. For each location, simply install DCs which are members of your present Active Directory domain. You can then configure Active Directory Sites and Services such that the servers are separated into separate sites (based on the geographic location) and are linked to the proper subnets.

Exchange can then be configured to give different groups of users different email address domains.

Anyone who says the Active Directory domain must match your Exchange email domain has been misinformed; best practice is to have one Active Directory domain, and simply add addresses via a Recipient Policy/Email Address Policy (for Exchange 2003/2007) to different groups of users.


Author Comment

ID: 24139086
Thanks for the quick reply! I know email is not an issue, and I know you can easily add a different domain to the recipient policy so that you can receive/send mail from that domain also.

Just really wanted to know the correct way to do this. If you would recommend sticking to the one domain then I will do that. The only issue I would have then is that if employees had an email address for both domains I would still have to make them two seperate AD accounts in order for them to be able to send and receive emails properly from both addresses wouldnt I?

And the only other thing I am concerned about is redundancy - I have two sites, 1 domain and presumably 1 exchange server, that would mean Site B would be heavily reliant on site A (as that is where the exchange server would be running), does that matter?

Lastly, if I am running outlook from site B and connecting to the exchange server at site A (via the VPN) will there be any speed issues? IE how does exchange generally run over VPN and a BT broadband connection?

Basically, I am happy to do it the way you suggest if that is the generally accepted way of doing things??

LVL 12

Expert Comment

ID: 24139171
The Microsoft best-practise is to avoid multiple domains unless you really need them. If you want users to be able to send from two different accounts they should be able to use the "from" field in outlook. Accessing Exchange over a VPN really depends on the size of the link. You may need to conside OWA if the link is not fast enough. As for redundancy you should aim to have two domain controllers, if you can.
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.


Author Comment

ID: 24139334
Yea we sort of had that setup with the from field, the only issue is that you cant have different signatures for different users/domains. But I am also looking at Exclaimer or Policy Patrol to handle that.

LVL 12

Expert Comment

ID: 24139361
If you have two different signatures configured you can right-click on your signature and quickly switch it for the other one. Not a perfect solution but can sometimes help.
LVL 58

Expert Comment

ID: 24140381

Microsoft recommendations are to have one domain, until the company grows so large that you are forced to spread into separate domains. By "large", they generally mean several thousand employees. However, a single domain could still handle that many users; the general requirement for spreading into a second domain would be for business structural reasons, for example, separating thousands of field workers from thousands of office staff.

Unless you have thousands of users which work in separate business units, a single domain with multiple Active Directory sites would be most suitable.

For employees to send as one of two company email domains, they will need duplicate accounts. They will also need the appropriate permissions assigned. This is a slight overhead, but nevertheless, a very easy one to overcome.

You could locate a second Exchange Server in Site B, and use either Exchange 2007's CCR clustering (requires Exchange Enterprise and Windows Enterprise), or install two Exchange Servers and use third-party clustering/failover software such as DoubleTake. This would give you a lot of resilience in Exchange. You would also obviously require multiple DCs promoted for Active Directory resilience.

You should have a box-to-box (hardware-based) site-to-site VPN from site A to site B and vice-versa. It ultimately depends on the speed of the internet lines at each site, and how many users/how much traffic will be passing over the line. If you have a number of medium- to heavy-demand users at Site B, your best option would be a second Exchange Server in Site B which that site's users connect directly to locally.

I can assure you this configuration is per best practices.


Author Closing Comment

ID: 31569927
thanks guys

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Find out what you should include to make the best professional email signature for your organization.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now