Solved

Need help designing initial Active Directory for hosting company

Posted on 2011-03-19
5
800 Views
Last Modified: 2012-05-11
Hello,

I am trying to design an AD deployment for hosting company.  This company will basically host other companies networks virtually using VMware View.  I would like to think I could create a "forest", and then within this forest have many unrelated domains which have a trust relationship with a "master" domain.  In the master domain, i would like to hold all servers necessary for view that can be shared across the domains.  In order for this to work, however, the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains.  Users of the underlying child domains should not see users and/or exchange server, etc of any other domain except for the master domain.

Please excuse my use of the language as I am fairly new to AD and am not sure of the exact terminology.  Can anyone explain if this can be accomplished, and if so, how I would go about setting it up initially.  I plan to use Windows 2008 R2 in the master domain.  Thanks!

ED7
0
Comment
Question by:electricd7
  • 4
5 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172346

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects other domains in the forest because there transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35172352

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects in other domains in the forest because there are transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx 
0
 

Author Comment

by:electricd7
ID: 35172965
Ok, it sounds like maybe I need separate forests.  Can I setup trusts between a domain in one forest and a domain in a second forest?  Basically what I am trying to do is be able to use servers on forest A to service workstations on forest B without users in forest B knowing that forest A exists.  I am trying to minimize my licensing fees to VMware by setting up a single instance of VirtualCenter which services multiple deployments of workstations which reside in separate domains.  I guess think of it as an office building with 5 separate companies working in it, but sharing a bathroom and/or receptionist.  Is this type of trust relationship available within Active Directory?  Let me know if I can clear things up further, as I mentioned I am kinda going into AD blindly.

0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
ID: 35173605

yes you can.  You can setup a bi-directional or one way transitive forest trust . As far as users not knowing about forest A it would be hard to avoid that since you create a authentication trust path between forest A and B and they would have to authenticate against the domain in Forest A to access resources.  So i'm assuming that you have or will have 5 seperate forests.  You will have one domain per forest correct?   please clarify if iam wrong.  

If this is the case then you will need to setup forest trust  between every forest

check this brief article :

When to create forest trust:
http://technet.microsoft.com/en-us/library/cc773010(WS.10).aspx


Vmware view and preparing active directory.
check out chapter 3.  
http://www.vmware.com/pdf/view45_installation_guide.pdf


Review these and let know if you have any questions
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35181612

When the user logs in using the vmware view client they would see the domain that would be logging into. they will be able to select the domain they want to login to. So, after you have created the trust  user from forest B will have access to the domain in forest A
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASDM device NT domain question 4 31
Office 365 & Microsoft Azure 8 51
block folder inheritance 4 33
Password change 3 20
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now