setting up a multi-domain network

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
We have a client running server 2003 network (also running exchange).

We are adding a new location (and new domain) to the network and I am wondering what is the best way to set this up;

Each location will have a seperate domain name (mostly for email purposes) but will need to share files and users will need access to email from both domains - for this we will obviously install a VPN.

The basic scenario will be that users from each domain will be set up with a local folder (for data) and an email address that corresponds to their domain. But they will each need access to files at both locations and also we will probably give each site access to the other sites email via outlook web access.

I have been reading up on cross domain trusts etc, is this the best way to go? I take it that as far as file sharing goes, a domain trust will solve that problem. ut what hapens with email - will users at one site be able to automatically authenticate to email at the other site through OWA?

Or is there an alternate solution?

Question by:davids355
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 12

Accepted Solution

nealerocks earned 1000 total points
ID: 24138705
Do you really need separate domains? This adds so much admin overhead. Is it only because of email? You can have multiple domains in exchange and you won't need to create multiple windows domains.
You should add domains as a last option because you will have separate FSMO roles for each domain, plus separate domain admins and security groups for each domain.
Forest trusts will allow authentication between different domains and you can authenticate using OWA simply by using the syntax domain\username.

But if at all possible i would avoid having multiple domains.....
LVL 58

Assisted Solution

tigermatt earned 1000 total points
ID: 24138721

You don't need any form of domain trusts. For each location, simply install DCs which are members of your present Active Directory domain. You can then configure Active Directory Sites and Services such that the servers are separated into separate sites (based on the geographic location) and are linked to the proper subnets.

Exchange can then be configured to give different groups of users different email address domains.

Anyone who says the Active Directory domain must match your Exchange email domain has been misinformed; best practice is to have one Active Directory domain, and simply add addresses via a Recipient Policy/Email Address Policy (for Exchange 2003/2007) to different groups of users.


Author Comment

ID: 24139086
Thanks for the quick reply! I know email is not an issue, and I know you can easily add a different domain to the recipient policy so that you can receive/send mail from that domain also.

Just really wanted to know the correct way to do this. If you would recommend sticking to the one domain then I will do that. The only issue I would have then is that if employees had an email address for both domains I would still have to make them two seperate AD accounts in order for them to be able to send and receive emails properly from both addresses wouldnt I?

And the only other thing I am concerned about is redundancy - I have two sites, 1 domain and presumably 1 exchange server, that would mean Site B would be heavily reliant on site A (as that is where the exchange server would be running), does that matter?

Lastly, if I am running outlook from site B and connecting to the exchange server at site A (via the VPN) will there be any speed issues? IE how does exchange generally run over VPN and a BT broadband connection?

Basically, I am happy to do it the way you suggest if that is the generally accepted way of doing things??

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

LVL 12

Expert Comment

ID: 24139171
The Microsoft best-practise is to avoid multiple domains unless you really need them. If you want users to be able to send from two different accounts they should be able to use the "from" field in outlook. Accessing Exchange over a VPN really depends on the size of the link. You may need to conside OWA if the link is not fast enough. As for redundancy you should aim to have two domain controllers, if you can.

Author Comment

ID: 24139334
Yea we sort of had that setup with the from field, the only issue is that you cant have different signatures for different users/domains. But I am also looking at Exclaimer or Policy Patrol to handle that.

LVL 12

Expert Comment

ID: 24139361
If you have two different signatures configured you can right-click on your signature and quickly switch it for the other one. Not a perfect solution but can sometimes help.
LVL 58

Expert Comment

ID: 24140381

Microsoft recommendations are to have one domain, until the company grows so large that you are forced to spread into separate domains. By "large", they generally mean several thousand employees. However, a single domain could still handle that many users; the general requirement for spreading into a second domain would be for business structural reasons, for example, separating thousands of field workers from thousands of office staff.

Unless you have thousands of users which work in separate business units, a single domain with multiple Active Directory sites would be most suitable.

For employees to send as one of two company email domains, they will need duplicate accounts. They will also need the appropriate permissions assigned. This is a slight overhead, but nevertheless, a very easy one to overcome.

You could locate a second Exchange Server in Site B, and use either Exchange 2007's CCR clustering (requires Exchange Enterprise and Windows Enterprise), or install two Exchange Servers and use third-party clustering/failover software such as DoubleTake. This would give you a lot of resilience in Exchange. You would also obviously require multiple DCs promoted for Active Directory resilience.

You should have a box-to-box (hardware-based) site-to-site VPN from site A to site B and vice-versa. It ultimately depends on the speed of the internet lines at each site, and how many users/how much traffic will be passing over the line. If you have a number of medium- to heavy-demand users at Site B, your best option would be a second Exchange Server in Site B which that site's users connect directly to locally.

I can assure you this configuration is per best practices.


Author Closing Comment

ID: 31569927
thanks guys

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question