Multi-child domain vs multi-child domain with new tree
Hi,
I start a Windows 2008 R2 Datacenter with a corporated AD Forest that will host many customer Domain.
Each domain will need to be entirely independant for the others, meaning that all accounts, security, Exchange, Terminal server, AD etc...must not be view or available to the other domains.
Important, these domain must be linked to the corporated Forest because they will be monitor by SCCM that will be installed on the Root Domain.
For now i have 2 child domain(not with new tree) and it goes well ,but the trouble is that Exchange 2010 see all the AD account of the other domain and this is bad.
There is no way to remove transitive replication on the root domain.
So my question is, "What is the best way to configure the security of my actual setup or what is the best way to restart my entire Forest considering that many independant Domain will be install in the corporate Forest in the futur?"
I start a Windows 2008 R2 Datacenter with a corporated AD Forest that will host many customer Domain.
Each domain will need to be entirely independant for the others, meaning that all accounts, security, Exchange, Terminal server, AD etc...must not be view or available to the other domains.
Important, these domain must be linked to the corporated Forest because they will be monitor by SCCM that will be installed on the Root Domain.
For now i have 2 child domain(not with new tree) and it goes well ,but the trouble is that Exchange 2010 see all the AD account of the other domain and this is bad.
There is no way to remove transitive replication on the root domain.
So my question is, "What is the best way to configure the security of my actual setup or what is the best way to restart my entire Forest considering that many independant Domain will be install in the corporate Forest in the futur?"
When you say security has to be independent that is not possible with domains in the same forest. The forest is the security boundary. Joe Richards has a great quick blog on it http://blog.joeware.net/2008/07/17/1406/
So in terms of configuring security if you want t true security boudnary you have to have them in separate forests.
Thanks
Mike
So in terms of configuring security if you want t true security boudnary you have to have them in separate forests.
Thanks
Mike
You can have only one Exchange organization in a entire forest. They is no option for separation.
But what I am thinkig here is that you can create address list for each customer and give access only to them. Also you must remove permission on Global address list for all the users except Administrator. This way you can prevent other domain users see whole address list. And this way they think this is their global address list.
Also make sure in the database properties, choose the appropriate offline address book in "Client settings" tab.........
Hope this will help you, let me know how it goes.
~ Anand
But what I am thinkig here is that you can create address list for each customer and give access only to them. Also you must remove permission on Global address list for all the users except Administrator. This way you can prevent other domain users see whole address list. And this way they think this is their global address list.
Also make sure in the database properties, choose the appropriate offline address book in "Client settings" tab.........
Hope this will help you, let me know how it goes.
~ Anand
ASKER
OK Thanks to give me fast respons
OK in that way, and i ask a question, is there a way to change the domains trust to be unidirectionnal instead of bi-directionnal in the Forest-to-Domain? If not do you think that the best way to reply to my interrogation needs, is to configure the security at the server side(ex Exchange) and maybe force the vew to a particular AD?
OK in that way, and i ask a question, is there a way to change the domains trust to be unidirectionnal instead of bi-directionnal in the Forest-to-Domain? If not do you think that the best way to reply to my interrogation needs, is to configure the security at the server side(ex Exchange) and maybe force the vew to a particular AD?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Missing some links to configure GAL permission
DirectImpact:
Here is what you are looking for,
http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/shared-hosting-exchange-2007-part1.html
~ Anand
Here is what you are looking for,
http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/shared-hosting-exchange-2007-part1.html
~ Anand
ASKER
Thank a lot Anand,
This will be great for me, i will introde this setup in my configuration.
Thanks again for your support i appreciate
This will be great for me, i will introde this setup in my configuration.
Thanks again for your support i appreciate
You are welcome... Thanks for the points.
~ Anand
~ Anand
ASKER