Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need help designing initial Active Directory for hosting company

Posted on 2011-03-19
5
Medium Priority
?
832 Views
Last Modified: 2012-05-11
Hello,

I am trying to design an AD deployment for hosting company.  This company will basically host other companies networks virtually using VMware View.  I would like to think I could create a "forest", and then within this forest have many unrelated domains which have a trust relationship with a "master" domain.  In the master domain, i would like to hold all servers necessary for view that can be shared across the domains.  In order for this to work, however, the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains.  Users of the underlying child domains should not see users and/or exchange server, etc of any other domain except for the master domain.

Please excuse my use of the language as I am fairly new to AD and am not sure of the exact terminology.  Can anyone explain if this can be accomplished, and if so, how I would go about setting it up initially.  I plan to use Windows 2008 R2 in the master domain.  Thanks!

ED7
0
Comment
Question by:electricd7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172346

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects other domains in the forest because there transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172352

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects in other domains in the forest because there are transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx 
0
 

Author Comment

by:electricd7
ID: 35172965
Ok, it sounds like maybe I need separate forests.  Can I setup trusts between a domain in one forest and a domain in a second forest?  Basically what I am trying to do is be able to use servers on forest A to service workstations on forest B without users in forest B knowing that forest A exists.  I am trying to minimize my licensing fees to VMware by setting up a single instance of VirtualCenter which services multiple deployments of workstations which reside in separate domains.  I guess think of it as an office building with 5 separate companies working in it, but sharing a bathroom and/or receptionist.  Is this type of trust relationship available within Active Directory?  Let me know if I can clear things up further, as I mentioned I am kinda going into AD blindly.

0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 2000 total points
ID: 35173605

yes you can.  You can setup a bi-directional or one way transitive forest trust . As far as users not knowing about forest A it would be hard to avoid that since you create a authentication trust path between forest A and B and they would have to authenticate against the domain in Forest A to access resources.  So i'm assuming that you have or will have 5 seperate forests.  You will have one domain per forest correct?   please clarify if iam wrong.  

If this is the case then you will need to setup forest trust  between every forest

check this brief article :

When to create forest trust:
http://technet.microsoft.com/en-us/library/cc773010(WS.10).aspx


Vmware view and preparing active directory.
check out chapter 3.  
http://www.vmware.com/pdf/view45_installation_guide.pdf


Review these and let know if you have any questions
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35181612

When the user logs in using the vmware view client they would see the domain that would be logging into. they will be able to select the domain they want to login to. So, after you have created the trust  user from forest B will have access to the domain in forest A
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question