Solved

International Project - New Forest + Trust vs Subdomain (with mail server considerations)?

Posted on 2011-03-14
7
547 Views
Last Modified: 2012-08-13
Hello all, I just wanted to thank everyone that takes time out of there day to answer my question(s).  It's greatly appreciated.

Context:
I work for a medium sized business in the manufacturing sector.  Recently, we began going after the Chinese market and have setup a small office of about 20 employees (5 or 6 being sales/service folks that are always traveling).  In the short term, we've contracted IT assistance to help us setup a small workgroup environment with a single file server (Windows 7, Server 2008).  We have a dedicated tunnel from our main office to the China office and they utilize an ERP application via terminal server daily.

We're interested in setting them up on a domain, however, I'm pretty torn between a few options.  The important consideration is we'd like to avoid setting up a mail server for now, as that will increase management overhead and all of the OS's are going to be in Chinese (none of us speak Chinese much less read it).  The China office has a 10mbps connection so e-mail shouldn't take a huge performance hit being based out of our office.  Also, I'd like to easily be able to delegate control to 1 or 2 IT individuals when they are hired on in the not so near future.

Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.  

Option 3)  The option of simply adding them to our, much too flat, Active Directory is something I'd like to avoid if possible but that's certainly an option as well.

To add additional context, the main office environment is purely server 2003 (domain level and forest level) so that will need to be taken into consideration as well.

Anyone ever face a similar decision?  Let me know if you need any additional information and I will continue to research on the side.  =)
0
Comment
Question by:MegafabTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35129031
Do you trust the admins over on the other side?  The reason I ask is because the forest is the security boundary, if they are in your domain/forest they have access to your AD.

Thanks

Mike
0
 
LVL 15

Accepted Solution

by:
GreatVargas earned 500 total points
ID: 35129042
Option 1)  Set them up as a new forest with a two way trust.  I'm hoping an exchange guru can tell me if this will cause any conflict with our mail server.  If e-mail works seamlessly between the two forests, this seems like a viable solution.  I have limited experience working with e-mail (domain registrars, mail servers, etc) so let me know if you need more detail regarding our environment.

question: are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.

Option 2) Set them up as a sub-domain within our forest.  Assuming the language has no affect on inter-interoperability, this option may work great.  That way everything is within the same forest.   I'm also not sure how operating systems of different languages inter-operate.  I imagine there wouldn't be any problems but I haven't been able to find much online.

question: assuming that you dont like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?

option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.

within the same forest you can have only one exchange organization, and that can reduce the administrative overhead.
having 2 forests with a trust relationship will imply having 2 exchange organizations.
0
 

Author Comment

by:MegafabTech
ID: 35129153
Mkline71, I don't necessarily trust the China office.  I'd prefer to keep them as a separate entity as it's more secure and then delegate control to a single admin at a later date (when someone is hired in house).

GreatVargas:
Are you planning to have one exchange on the chinese forest? or just use the exchange that you have on yours? anyway as far as my opinion can get, if the company is the same, setting a new forest wont be a good option. management overhead will be bigger.
- The plan in the short term (and possibly long term) is to maintain a single exchange server on our end (within the US).  I agree with the forest being more management overhead so I'm playing tug-of-war with security vs management overhead it appears.

Assuming that you don't like option 3, then option 2 is the best. and you can use your exchange server to host the 20 employees of china. once again my question is, will china have one dedicated exchange server?
- Answered the exchange question above.  It's not that I don't like option 3, I've just always disliked our flat AD.  Now that I think about it, however, I don't really see much benefit in making them a SUB domain of our current forest.  From what I understand, a sub-domain is primarily for IT management purposes and we've downsized to the point where that really isn't necessary.  I think I've renewed my interest in option 3.  

Option 3 can also be a good option, to add a domain controller in china, for local logins, in the same domain.
- Agreed.

Within the same forest you can have only one exchange organization, and that can reduce the administrative overhead. Having 2 forests with a trust relationship will imply having 2 exchange organizations.
- I wasn't sure if you could setup a second forest to communicate with your forest's exchange server.  If that's not possible, I believe this would rule out option 1 entirely.


0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:MegafabTech
ID: 35129185
One of the only un-answered questions would be, will a chinese operating system function perfectly with an english operating system.  I'm referring specifically to a chinese domain controller communicating with an english forest.
0
 
LVL 15

Assisted Solution

by:GreatVargas
GreatVargas earned 500 total points
ID: 35129309
regarding the security issue in a sub domain scenario, you can solve it by giving only domain admin rights (or some other more restrict) to only the china sub domain.

regarding the language issue, you can have domain controllers in different languages in the same domain without issues.

as far as having multi forest envoirement see the link to be elucidated about what exchange 2010 supports:

http://technet.microsoft.com/en-us/library/bb124734.aspx

hope it helps
0
 

Author Comment

by:MegafabTech
ID: 35129319
This does help, thank you very much!
0
 

Author Closing Comment

by:MegafabTech
ID: 35129327
Thank you very much for your assistance.  =)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question