Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Multi-child domain vs multi-child domain with new tree

Posted on 2010-11-12
9
Medium Priority
?
555 Views
Last Modified: 2012-05-10
Hi,
I start a Windows 2008 R2  Datacenter with a corporated AD Forest that will host many customer Domain.
 Each domain will need to be entirely independant for the others, meaning that all accounts, security, Exchange, Terminal server, AD etc...must not be view or available to the other domains.
Important, these domain must be linked to the corporated Forest because they will be monitor by SCCM that will be installed on the Root Domain.
For now i have 2 child domain(not with new tree) and it goes well ,but the trouble is that Exchange 2010 see all the AD account of the other domain and  this is bad.
There is no way to remove transitive replication on the root domain.
 So my question is, "What is the best way to configure the security of my actual setup or what is the best way to restart my entire Forest considering that many independant Domain will be install in the corporate Forest in the futur?"
0
Comment
Question by:DirectImpact
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 

Author Comment

by:DirectImpact
ID: 34120392
Thanks a lot
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34121077
When you say security has to be independent that is not possible with domains in the same forest.  The forest is the security boundary.   Joe Richards has a great quick blog on it   http://blog.joeware.net/2008/07/17/1406/

So in terms of configuring security if you want t true security boudnary you have to have them in separate forests.

Thanks

Mike
0
 
LVL 5

Expert Comment

by:anandkumardeva
ID: 34121316
You can have only one Exchange organization in a entire forest. They is no option for separation.

But what I am thinkig here is that you can create address list for each customer and give access only to them. Also you must remove permission on Global address list for all the users except Administrator. This way you can prevent other domain users see whole address list. And this way they think this is their global address list.

Also make sure in the database properties, choose the appropriate offline address book in "Client settings" tab.........

Hope this will help you, let me know how it goes.

~ Anand
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:DirectImpact
ID: 34121371
OK Thanks to give me fast respons

OK in that way, and i ask a question, is there a way to change the domains trust to be unidirectionnal instead of bi-directionnal in the Forest-to-Domain? If not do you think that the best way to reply to my interrogation needs, is to configure the security at the server side(ex Exchange) and maybe force the vew to a particular AD?
0
 
LVL 5

Accepted Solution

by:
anandkumardeva earned 750 total points
ID: 34121428
You have to use ADSIEDIT to remove permission. Address list will be stored in,

 CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=***,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=***,DC=com

Make sure you test this in a test lab and try in production.

~ Anand
0
 

Author Closing Comment

by:DirectImpact
ID: 34158507
Missing some links to configure GAL permission
0
 
LVL 5

Expert Comment

by:anandkumardeva
ID: 34161928
0
 

Author Comment

by:DirectImpact
ID: 34163882
Thank a lot Anand,

This will be great for me, i will introde this setup in my configuration.

Thanks again for your support i appreciate
0
 
LVL 5

Expert Comment

by:anandkumardeva
ID: 34170099
You are welcome... Thanks for the points.

~ Anand
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question