Jeff Perry
asked on
How to create the proper Hub and Spoke AD Environment
We are currently deploying a hub and spoke WAN topology in our environment. Everything is going good except the trying to figure out the AD portion. I have the Hub (Site 1) and two Spokes (Site A and Site B). What is the best way to allow a user in Site A to access a resource (Server, File Share, etc.) in Site B.
I have a trust from Site 1 to Site A and from Site 1 to Site B. I know if I create a domain local group in Site 1 I can add users from Site A into it. Although I cannot access that group from Site B to share the resource seeing how it is a domain local group in Site 1.
What is the best way to set this up. I know through the VPN tunnels I am able to allow the Site A domain controllers talk to the Site B domain controllers. I f I had to I could create a trust between Site A and Site B but I wanted to know if there was another way without creating a web of trusts everywhere throughout the organization.
I have a trust from Site 1 to Site A and from Site 1 to Site B. I know if I create a domain local group in Site 1 I can add users from Site A into it. Although I cannot access that group from Site B to share the resource seeing how it is a domain local group in Site 1.
What is the best way to set this up. I know through the VPN tunnels I am able to allow the Site A domain controllers talk to the Site B domain controllers. I f I had to I could create a trust between Site A and Site B but I wanted to know if there was another way without creating a web of trusts everywhere throughout the organization.
Furthermore you could install readonly domain controllers on the remote sites especially if you don't have appropriate IT personnel there.
ASKER
Our environment is quite a bit different. All the Spokes are separate companies so we are dealing with all completely different forests which is why we need to go through trusts. I am feeling this is going to require more of Sites, Replication, and Universal groups.
Youll need trusts and you'll be using a combination of global, universal. And domain local groups due to the limitations of each of those. It won't be simple to manage but if you understand each group type then it will be doable.
ASKER
I was hoping to get a little more info on how to set this up with the appropriate mix of (groups, sites, trusts, etc.). i know I need to use all those resources I need more info on how those resources should be used. Where do I setup the groups and which type. Are sites and replication needed? None of those questions were answered.
Google the acronym AGUDLP and watch a couple YouTube videos in it. That is a common best practice and will help you understand the underlying concepts to help you plan your group strategy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the info. I will do some digging to see what I can find. You are saying though that since these are all different domains and forests that the sites and replication are ruled out?
Correct. The boundary is the domain.
Then a simple site to site VPN allows access just as you want.