We have a forest of about 15 sites. Now for 1 site, i'd like to give them access only to that domain/AD as an admin.
Active Directory domains in a forest should never be deployed with the objective of isolating business units that do not trust each other.
Ok i would prob just need DHCP/DNS/AD delegated to one location.
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent
Refer to the formal definitions at TechNet; the definitions below are colloquial descriptions and not intended to match the formal documented definitions for each term.
"Domains" in Active Directory typically represent distinct organisation / management units. There can be multiple domains within a forest, which typically mutually trust each other (for some definition of "trust"). Each domain has a notion of a "Domain Admin" and similar, which is responsible for objects within that domain. The forest has a "forest root" domain, in which an "Enterprise Admin" can be found with privileges over the whole forest.
Additionally, you might have multiple forests, with explicit trusts between them. This is the "logical" view of the environment, intended to capture organisational structure, management hierarchies, etc.
You would know if you have multiple domains, one for each location. If not, you can always bring up Active Directory Domains and Trusts to find out.
Sites refers a separate concept regarding the connectivity between the DCs in your environment -- the "physical" topology of the forest. This provides hints to Active Directory which assist in the generation of schedules and connectors for replication of data between Domain Controllers; typically, you would split into sites where multiple locations are connected by slow links, and group objects interconnected by fast links within a single site.
Each site is identified by one or more subnet objects; workstations and member servers match their IP address with the site configuration to determine which site they are in. Domain Controllers must be manually assigned to sites.
Properly configured resource location will subsequently use this information to prefer DCs local (rather than crossing a VPN link to another country, say), while replication might run on a reduced schedule between poorly connected sites.
So -- do you have multiple "sites", multiple "domains" in a single forest, or both?
Multiple sitesIf you have multiple sites within a single domain, then your request is somewhat difficult because there is no notion of permissions or delegation of control at the physical level; you have a single domain, and therefore a single container replicated among multiple sites representing a single administrative domain. The separation into sites merely advises Active Directory of the topology over which the DCs are deployed, without intending to provide the facility to logically identify which objects (users, computers, groups, etc.) belong to each location and delegate control for that location.
In this instance, you will typically want local techs to manage machines and user accounts local to them. In smaller cases, you might split each site into separate Organizational Units (OUs) and use Delegation of Control to grant the tech(s) for each site the relevant permissions to manage objects in their site's OU. The techs should not have Domain Admin, Enterprise Admin or any other specialist groups granted, since this gives them control over the entire domain / forest.
It would be most unusual for a company to deploy multiple domains for each location; the above solution is normally satisfactory, and is strongly recommended unless there is a valid overriding reason why the complexity of multiple domains is required.
Multiple domainsIn the case of multiple domains, hopefully this represents one domain per site. This was a popular configuration on NT4 systems (due to its differing AD implementation imposing limitations), but has gone away now that AD is better able to run a single domain across multiple sites efficiently and reliably.
For multiple domains, local techs are simply granted Domain Admin rights (or whatever rights you wish to provide) in the domain for their site. They are granted NO PERMISSIONS in the forest root domain, in particular NOT "Enterprise Admin".
However, do remember that the forest is the security boundary, not the domain. Quoting from that link:
MixtureIf you have a mixture, you have the necessary substrate to simply follow the "multiple domains" approach and configure permissions accordingly. The sites configuration is a non-starter because it cannot be used for logical delegation of control.