Solved

International Project - New Forest + Trust vs Subdomain (with mail server considerations)?

Posted on 2011-03-14
7
542 Views
Last Modified: 2012-08-13
Hello all, I just wanted to thank everyone that takes time out of there day to answer my question(s).  It's greatly appreciated.

Context:
I work for a medium sized business in the manufacturing sector.  Recently, we began going after the Chinese market and have setup a small office of about 20 employees (5 or 6 being sales/service folks that are always traveling).  In the short term, we've contracted IT assistance to help us setup a small workgroup environment with a single file server (Windows 7, Server 2008).  We have a dedicated tunnel from our main office to the China office and they utilize an ERP application via terminal server daily.

We're interested in setting them up on a domain, however, I'm pretty torn between a few options.  The important consideration is we'd like to avoid setting up a mail server for now, as that will increase management overhead and all of the OS's are going to be in Chinese (none of us speak Chinese much less read it).  The China office has a 10mbps connection so e-mail shouldn't take a huge performance hit being based out of our office.  Also, I'd like to easily be able to delegate control to 1 or 2 IT individuals when they are hired on in the not so near future.

Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.  

Option 3)  The option of simply adding them to our, much too flat, Active Directory is something I'd like to avoid if possible but that's certainly an option as well.

To add additional context, the main office environment is purely server 2003 (domain level and forest level) so that will need to be taken into consideration as well.

Anyone ever face a similar decision?  Let me know if you need any additional information and I will continue to research on the side.  =)
0
Comment
Question by:MegafabTech
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Do you trust the admins over on the other side?  The reason I ask is because the forest is the security boundary, if they are in your domain/forest they have access to your AD.

Thanks

Mike
0
 
LVL 15

Accepted Solution

by:
GreatVargas earned 500 total points
Comment Utility
Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

question: are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.

question: assuming that you dont like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?

option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.

within the same forest you can have only one exchange organization, and that can reduce the administrative overhead.
having 2 forests with a trust relationship will imply having 2 exchange organizations.
0
 

Author Comment

by:MegafabTech
Comment Utility
Mkline71, I don't necessarily trust the China office.  I'd prefer to keep them as a separate entity as it's more secure and then delegate control to a single admin at a later date (when someone is hired in house).

GreatVargas:
Are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.
- The plan in the short term (and possibly long term) is to maintain a single exchange server on our end (within the US).  I agree with the forest being more management overhead so I'm playing tug-of-war with security vs management overhead it appears.

Assuming that you don't like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?
- Answered the exchange question above.  It's not that I don't like option 3, I've just always disliked our flat AD.  Now that I think about it, however, I don't really see much benefit in making them a SUB domain of our current forest.  From what I understand, a sub-domain is primarily for IT management purposes and we've downsized to the point where that really isn't necessary.  I think I've renewed my interest in option 3.  

Option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.
- Agreed.

Within the same forest you can have only one exchange organization, and that can reduce the administrative overhead. Having 2 forests with a trust relationship will imply having 2 exchange organizations.
- I wasn't sure if you could setup a second forest to communicate with your forest's exchange server.  If that's not possible, I believe this would rule out option 1 entirely.


0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:MegafabTech
Comment Utility
One of the only un-answered questions would be, will a chinese operating system function perfectly with an english operating system.  I'm referring specifically to a chinese domain controller communicating with an english forest.
0
 
LVL 15

Assisted Solution

by:GreatVargas
GreatVargas earned 500 total points
Comment Utility
regarding the security issue in a sub domain scenario, you can solve it by giving only domain admin rights (or some other more restrict) to only the china sub domain.

regarding the language issue, you can have domain controllers in different languages in the same domain without issues.

as far as having multi forest envoirement see the link to be elucidated about what exchange 2010 supports:

http://technet.microsoft.com/en-us/library/bb124734.aspx

hope it helps
0
 

Author Comment

by:MegafabTech
Comment Utility
This does help, thank you very much!
0
 

Author Closing Comment

by:MegafabTech
Comment Utility
Thank you very much for your assistance.  =)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now