Solved

Need help designing initial Active Directory for hosting company

Posted on 2011-03-19
5
795 Views
Last Modified: 2012-05-11
Hello,

I am trying to design an AD deployment for hosting company.  This company will basically host other companies networks virtually using VMware View.  I would like to think I could create a "forest", and then within this forest have many unrelated domains which have a trust relationship with a "master" domain.  In the master domain, i would like to hold all servers necessary for view that can be shared across the domains.  In order for this to work, however, the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains.  Users of the underlying child domains should not see users and/or exchange server, etc of any other domain except for the master domain.

Please excuse my use of the language as I am fairly new to AD and am not sure of the exact terminology.  Can anyone explain if this can be accomplished, and if so, how I would go about setting it up initially.  I plan to use Windows 2008 R2 in the master domain.  Thanks!

ED7
0
Comment
Question by:electricd7
  • 4
5 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
Comment Utility

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects other domains in the forest because there transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
Comment Utility

If you create a single forest which is advised for simpliciity all domains within that forest will trust each other. two-way transitive trust are automatically configured between each domain within a forest.  

i'm not clear on some things.

you say that  "the child domains need to be able to have separate domain names (ie xyz.com and abc.com) and NOT share a global address book or be able to search users in other domains."

The issue wth this is that within a forest I can query objects in other domains in the forest because there are transitive trusts that are formed between each domain in a forest.  So, if want a single forest design with two domains this may not be what you need.  

If you want restrict all users one domain from accessing resources in another domain then you should could consider seperate active directory forests.

For Example,  You would have  xxy.com in one forest and have abc.com in another forest.

When seperate active directory forests are deployed there is no automatic trust that is formed between the forests. You have to manually set up the trust path between the forests for resource access depending who the "trusted" and "trusting" forests are.

Also keep in mind that you can only have one exchange organization per forest.

I would suggest reading this article:

Best Practice Active Directory Design
http://technet.microsoft.com/en-us/library/bb727085.aspx

Active Directory Domain Services  2008
http://technet.microsoft.com/en-us/library/cc268216.aspx
0
 

Author Comment

by:electricd7
Comment Utility
Ok, it sounds like maybe I need separate forests.  Can I setup trusts between a domain in one forest and a domain in a second forest?  Basically what I am trying to do is be able to use servers on forest A to service workstations on forest B without users in forest B knowing that forest A exists.  I am trying to minimize my licensing fees to VMware by setting up a single instance of VirtualCenter which services multiple deployments of workstations which reside in separate domains.  I guess think of it as an office building with 5 separate companies working in it, but sharing a bathroom and/or receptionist.  Is this type of trust relationship available within Active Directory?  Let me know if I can clear things up further, as I mentioned I am kinda going into AD blindly.

0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
Comment Utility

yes you can.  You can setup a bi-directional or one way transitive forest trust . As far as users not knowing about forest A it would be hard to avoid that since you create a authentication trust path between forest A and B and they would have to authenticate against the domain in Forest A to access resources.  So i'm assuming that you have or will have 5 seperate forests.  You will have one domain per forest correct?   please clarify if iam wrong.  

If this is the case then you will need to setup forest trust  between every forest

check this brief article :

When to create forest trust:
http://technet.microsoft.com/en-us/library/cc773010(WS.10).aspx


Vmware view and preparing active directory.
check out chapter 3.  
http://www.vmware.com/pdf/view45_installation_guide.pdf


Review these and let know if you have any questions
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
Comment Utility

When the user logs in using the vmware view client they would see the domain that would be logging into. they will be able to select the domain they want to login to. So, after you have created the trust  user from forest B will have access to the domain in forest A
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now