?
Solved

International Project - New Forest + Trust vs Subdomain (with mail server considerations)?

Posted on 2011-03-14
7
Medium Priority
?
548 Views
Last Modified: 2012-08-13
Hello all, I just wanted to thank everyone that takes time out of there day to answer my question(s).  It's greatly appreciated.

Context:
I work for a medium sized business in the manufacturing sector.  Recently, we began going after the Chinese market and have setup a small office of about 20 employees (5 or 6 being sales/service folks that are always traveling).  In the short term, we've contracted IT assistance to help us setup a small workgroup environment with a single file server (Windows 7, Server 2008).  We have a dedicated tunnel from our main office to the China office and they utilize an ERP application via terminal server daily.

We're interested in setting them up on a domain, however, I'm pretty torn between a few options.  The important consideration is we'd like to avoid setting up a mail server for now, as that will increase management overhead and all of the OS's are going to be in Chinese (none of us speak Chinese much less read it).  The China office has a 10mbps connection so e-mail shouldn't take a huge performance hit being based out of our office.  Also, I'd like to easily be able to delegate control to 1 or 2 IT individuals when they are hired on in the not so near future.

Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.  

Option 3)  The option of simply adding them to our, much too flat, Active Directory is something I'd like to avoid if possible but that's certainly an option as well.

To add additional context, the main office environment is purely server 2003 (domain level and forest level) so that will need to be taken into consideration as well.

Anyone ever face a similar decision?  Let me know if you need any additional information and I will continue to research on the side.  =)
0
Comment
Question by:MegafabTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35129031
Do you trust the admins over on the other side?  The reason I ask is because the forest is the security boundary, if they are in your domain/forest they have access to your AD.

Thanks

Mike
0
 
LVL 15

Accepted Solution

by:
GreatVargas earned 2000 total points
ID: 35129042
Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

question: are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.

question: assuming that you dont like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?

option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.

within the same forest you can have only one exchange organization, and that can reduce the administrative overhead.
having 2 forests with a trust relationship will imply having 2 exchange organizations.
0
 

Author Comment

by:MegafabTech
ID: 35129153
Mkline71, I don't necessarily trust the China office.  I'd prefer to keep them as a separate entity as it's more secure and then delegate control to a single admin at a later date (when someone is hired in house).

GreatVargas:
Are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.
- The plan in the short term (and possibly long term) is to maintain a single exchange server on our end (within the US).  I agree with the forest being more management overhead so I'm playing tug-of-war with security vs management overhead it appears.

Assuming that you don't like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?
- Answered the exchange question above.  It's not that I don't like option 3, I've just always disliked our flat AD.  Now that I think about it, however, I don't really see much benefit in making them a SUB domain of our current forest.  From what I understand, a sub-domain is primarily for IT management purposes and we've downsized to the point where that really isn't necessary.  I think I've renewed my interest in option 3.  

Option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.
- Agreed.

Within the same forest you can have only one exchange organization, and that can reduce the administrative overhead. Having 2 forests with a trust relationship will imply having 2 exchange organizations.
- I wasn't sure if you could setup a second forest to communicate with your forest's exchange server.  If that's not possible, I believe this would rule out option 1 entirely.


0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:MegafabTech
ID: 35129185
One of the only un-answered questions would be, will a chinese operating system function perfectly with an english operating system.  I'm referring specifically to a chinese domain controller communicating with an english forest.
0
 
LVL 15

Assisted Solution

by:GreatVargas
GreatVargas earned 2000 total points
ID: 35129309
regarding the security issue in a sub domain scenario, you can solve it by giving only domain admin rights (or some other more restrict) to only the china sub domain.

regarding the language issue, you can have domain controllers in different languages in the same domain without issues.

as far as having multi forest envoirement see the link to be elucidated about what exchange 2010 supports:

http://technet.microsoft.com/en-us/library/bb124734.aspx

hope it helps
0
 

Author Comment

by:MegafabTech
ID: 35129319
This does help, thank you very much!
0
 

Author Closing Comment

by:MegafabTech
ID: 35129327
Thank you very much for your assistance.  =)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question