International Project - New Forest + Trust vs Subdomain (with mail server considerations)?

Hello all, I just wanted to thank everyone that takes time out of there day to answer my question(s).  It's greatly appreciated.

Context:
I work for a medium sized business in the manufacturing sector.  Recently, we began going after the Chinese market and have setup a small office of about 20 employees (5 or 6 being sales/service folks that are always traveling).  In the short term, we've contracted IT assistance to help us setup a small workgroup environment with a single file server (Windows 7, Server 2008).  We have a dedicated tunnel from our main office to the China office and they utilize an ERP application via terminal server daily.

We're interested in setting them up on a domain, however, I'm pretty torn between a few options.  The important consideration is we'd like to avoid setting up a mail server for now, as that will increase management overhead and all of the OS's are going to be in Chinese (none of us speak Chinese much less read it).  The China office has a 10mbps connection so e-mail shouldn't take a huge performance hit being based out of our office.  Also, I'd like to easily be able to delegate control to 1 or 2 IT individuals when they are hired on in the not so near future.

Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.  

Option 3)  The option of simply adding them to our, much too flat, Active Directory is something I'd like to avoid if possible but that's certainly an option as well.

To add additional context, the main office environment is purely server 2003 (domain level and forest level) so that will need to be taken into consideration as well.

Anyone ever face a similar decision?  Let me know if you need any additional information and I will continue to research on the side.  =)
MegafabTechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Do you trust the admins over on the other side?  The reason I ask is because the forest is the security boundary, if they are in your domain/forest they have access to your AD.

Thanks

Mike
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

question: are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.

question: assuming that you dont like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?

option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.

within the same forest you can have only one exchange organization, and that can reduce the administrative overhead.
having 2 forests with a trust relationship will imply having 2 exchange organizations.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MegafabTechAuthor Commented:
Mkline71, I don't necessarily trust the China office.  I'd prefer to keep them as a separate entity as it's more secure and then delegate control to a single admin at a later date (when someone is hired in house).

GreatVargas:
Are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.
- The plan in the short term (and possibly long term) is to maintain a single exchange server on our end (within the US).  I agree with the forest being more management overhead so I'm playing tug-of-war with security vs management overhead it appears.

Assuming that you don't like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?
- Answered the exchange question above.  It's not that I don't like option 3, I've just always disliked our flat AD.  Now that I think about it, however, I don't really see much benefit in making them a SUB domain of our current forest.  From what I understand, a sub-domain is primarily for IT management purposes and we've downsized to the point where that really isn't necessary.  I think I've renewed my interest in option 3.  

Option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.
- Agreed.

Within the same forest you can have only one exchange organization, and that can reduce the administrative overhead. Having 2 forests with a trust relationship will imply having 2 exchange organizations.
- I wasn't sure if you could setup a second forest to communicate with your forest's exchange server.  If that's not possible, I believe this would rule out option 1 entirely.


0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

MegafabTechAuthor Commented:
One of the only un-answered questions would be, will a chinese operating system function perfectly with an english operating system.  I'm referring specifically to a chinese domain controller communicating with an english forest.
0
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
regarding the security issue in a sub domain scenario, you can solve it by giving only domain admin rights (or some other more restrict) to only the china sub domain.

regarding the language issue, you can have domain controllers in different languages in the same domain without issues.

as far as having multi forest envoirement see the link to be elucidated about what exchange 2010 supports:

http://technet.microsoft.com/en-us/library/bb124734.aspx

hope it helps
0
MegafabTechAuthor Commented:
This does help, thank you very much!
0
MegafabTechAuthor Commented:
Thank you very much for your assistance.  =)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.