Solved

Need help designing initial Active Directory for hosting company

Posted on 2011-03-19
5
814 Views
Last Modified: 2012-05-11
Hello,

I am trying to design an AD deployment for hosting company.  This company will basically host other companies networks virtually using VMware View.  I would like to think I could create a "forest", and then within this forest have many unrelated domains which have a trust relationship with a "master" domain.  In the master domain, i would like to hold all servers necessary for view that can be shared across the domains.  In order for this to work, however, the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains.  Users of the underlying child domains should not see users and/or exchange server, etc of any other domain except for the master domain.

Please excuse my use of the language as I am fairly new to AD and am not sure of the exact terminology.  Can anyone explain if this can be accomplished, and if so, how I would go about setting it up initially.  I plan to use Windows 2008 R2 in the master domain.  Thanks!

ED7
0
Comment
Question by:electricd7
  • 4
5 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172346

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects other domains in the forest because there transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172352

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects in other domains in the forest because there are transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx 
0
 

Author Comment

by:electricd7
ID: 35172965
Ok, it sounds like maybe I need separate forests.  Can I setup trusts between a domain in one forest and a domain in a second forest?  Basically what I am trying to do is be able to use servers on forest A to service workstations on forest B without users in forest B knowing that forest A exists.  I am trying to minimize my licensing fees to VMware by setting up a single instance of VirtualCenter which services multiple deployments of workstations which reside in separate domains.  I guess think of it as an office building with 5 separate companies working in it, but sharing a bathroom and/or receptionist.  Is this type of trust relationship available within Active Directory?  Let me know if I can clear things up further, as I mentioned I am kinda going into AD blindly.

0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
ID: 35173605

yes you can.  You can setup a bi-directional or one way transitive forest trust . As far as users not knowing about forest A it would be hard to avoid that since you create a authentication trust path between forest A and B and they would have to authenticate against the domain in Forest A to access resources.  So i'm assuming that you have or will have 5 seperate forests.  You will have one domain per forest correct?   please clarify if iam wrong.  

If this is the case then you will need to setup forest trust  between every forest

check this brief article :

When to create forest trust:
http://technet.microsoft.com/en-us/library/cc773010(WS.10).aspx


Vmware view and preparing active directory.
check out chapter 3.  
http://www.vmware.com/pdf/view45_installation_guide.pdf


Review these and let know if you have any questions
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35181612

When the user logs in using the vmware view client they would see the domain that would be logging into. they will be able to select the domain they want to login to. So, after you have created the trust  user from forest B will have access to the domain in forest A
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question