Hi,

We're in a situation where we will be in charge of at least one other
network within the same building. We want to keep our Windows 2003
domain/forest completely separate and independent with it's own subnet
10.1.x.x and ISA Server but we have to do 2 things:

1. Maintain our client's network so we need to be able get into their
network w/ admin rights whenever we need to. As a matter of fact, their
equipment will physically be in our office. They have their own Windows 2000
forest, subnet -- 10.10.x.x -- and ISA Server, etc.

2. Use their router and T1s for our Internet connection as well. So the
outside IPs of our ISA Server and their ISA Server will be in the same
subnet.

What is the best and most cost effective way to set this up?

Thanks

Sam

Since the equipment will be in your office it would make sense to have a domain
computer for their domain available to you connected to their subnet. Just make
sure that it is hardened and physically secured to some degree as you will be
logging onto it with domain admin credentials. You could configure that computer
to access one of their domain controllers using Terminal Services remote
administration or installing Admipak on that computer to administer the domain.
Another option would be to use one of your computers to use TS remote
administration to access their domain through the ISA servers, though that would
require configuration on their end to allow port 3389 access to the proper
computer on their lan. It would also open a hole in their firewall unless they
have a vpn connection you can go through. I would not recommend opening port
3389 on their end unless you configure their firewall to only accept port 3389
connections from your public IP address in order to reduce hacking attempts.


Should be no problem using their router and internet access. The ISA servers
will not allow uninitiated inbound access to each others public IP address
unless they are configured to allow it. --- Steve

"Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We're in a situation where we will be in charge of at least one other
> network within the same building. We want to keep our Windows 2003
> domain/forest completely separate and independent with it's own subnet
> 10.1.x.x and ISA Server but we have to do 2 things:
>
> 1. Maintain our client's network so we need to be able get into their
> network w/ admin rights whenever we need to. As a matter of fact, their
> equipment will physically be in our office. They have their own Windows 2000
> forest, subnet -- 10.10.x.x -- and ISA Server, etc.
>
> 2. Use their router and T1s for our Internet connection as well. So the
> outside IPs of our ISA Server and their ISA Server will be in the same
> subnet.
>
> What is the best and most cost effective way to set this up?
>
> Thanks
>
> Sam
>
>

We're also going to be maintaining our client's Exchange, SQL and some other
apps.

So we need to get into their network and do things comfortably. What do you
think is the best way for us almost live in their network? I guess we could
keep a workstation in their network that we can physically use.

Just trying to figure out the most effective and comfortable way to handle
this.

Thanks,

Sam


"Steven Umbach" <(E-Mail Removed)> wrote in message
news:v0xpc.8554$qA.931575@attbi_s51...
> Since the equipment will be in your office it would make sense to have a
domain
> computer for their domain available to you connected to their subnet. Just
make
> sure that it is hardened and physically secured to some degree as you will
be
> logging onto it with domain admin credentials. You could configure that
computer
> to access one of their domain controllers using Terminal Services remote
> administration or installing Admipak on that computer to administer the
domain.
> Another option would be to use one of your computers to use TS remote
> administration to access their domain through the ISA servers, though that
would
> require configuration on their end to allow port 3389 access to the proper
> computer on their lan. It would also open a hole in their firewall unless
they
> have a vpn connection you can go through. I would not recommend opening
port
> 3389 on their end unless you configure their firewall to only accept port
3389
> connections from your public IP address in order to reduce hacking
attempts.
>
>
> Should be no problem using their router and internet access. The ISA
servers
> will not allow uninitiated inbound access to each others public IP address
> unless they are configured to allow it. --- Steve
>
> "Sam" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > We're in a situation where we will be in charge of at least one other
> > network within the same building. We want to keep our Windows 2003
> > domain/forest completely separate and independent with it's own subnet
> > 10.1.x.x and ISA Server but we have to do 2 things:
> >
> > 1. Maintain our client's network so we need to be able get into their
> > network w/ admin rights whenever we need to. As a matter of fact, their
> > equipment will physically be in our office. They have their own Windows
2000
> > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> >
> > 2. Use their router and T1s for our Internet connection as well. So the
> > outside IPs of our ISA Server and their ISA Server will be in the same
> > subnet.
> >
> > What is the best and most cost effective way to set this up?
> >
> > Thanks
> >
> > Sam
> >
> >
>
>

Hi Sam.

I think it makes sense to have a workstation on their domain/network. You bring up
the point about separate forests/subnets which tells me you probably don't want to go
into creating trusts between the forests, etc. The workstation does not need to be
fancy and you could share another monitor/keyboard/mouse from another computer via a
KVM switch if you want to save some space and money. If you go that route, I would
consider allowing only those who should administor the other domain to logon to it
using security policy user rights assignment - log on locally. --- Steve

"Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We're also going to be maintaining our client's Exchange, SQL and some other
> apps.
>
> So we need to get into their network and do things comfortably. What do you
> think is the best way for us almost live in their network? I guess we could
> keep a workstation in their network that we can physically use.
>
> Just trying to figure out the most effective and comfortable way to handle
> this.
>
> Thanks,
>
> Sam
>
>
> "Steven Umbach" <(E-Mail Removed)> wrote in message
> news:v0xpc.8554$qA.931575@attbi_s51...
> > Since the equipment will be in your office it would make sense to have a
> domain
> > computer for their domain available to you connected to their subnet. Just
> make
> > sure that it is hardened and physically secured to some degree as you will
> be
> > logging onto it with domain admin credentials. You could configure that
> computer
> > to access one of their domain controllers using Terminal Services remote
> > administration or installing Admipak on that computer to administer the
> domain.
> > Another option would be to use one of your computers to use TS remote
> > administration to access their domain through the ISA servers, though that
> would
> > require configuration on their end to allow port 3389 access to the proper
> > computer on their lan. It would also open a hole in their firewall unless
> they
> > have a vpn connection you can go through. I would not recommend opening
> port
> > 3389 on their end unless you configure their firewall to only accept port
> 3389
> > connections from your public IP address in order to reduce hacking
> attempts.
> >
> >
> > Should be no problem using their router and internet access. The ISA
> servers
> > will not allow uninitiated inbound access to each others public IP address
> > unless they are configured to allow it. --- Steve
> >
> > "Sam" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi,
> > >
> > > We're in a situation where we will be in charge of at least one other
> > > network within the same building. We want to keep our Windows 2003
> > > domain/forest completely separate and independent with it's own subnet
> > > 10.1.x.x and ISA Server but we have to do 2 things:
> > >
> > > 1. Maintain our client's network so we need to be able get into their
> > > network w/ admin rights whenever we need to. As a matter of fact, their
> > > equipment will physically be in our office. They have their own Windows
> 2000
> > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > >
> > > 2. Use their router and T1s for our Internet connection as well. So the
> > > outside IPs of our ISA Server and their ISA Server will be in the same
> > > subnet.
> > >
> > > What is the best and most cost effective way to set this up?
> > >
> > > Thanks
> > >
> > > Sam
> > >
> > >
> >
> >
>
>

Hi Steve,

First, thanks for your responses. I appreciate you taking the time to answer
my questions.

Now that you mentioned a trust relationship, it actually makes sense to do
that. We are very intimate with our client. We also do a lot of application
development and SQL Server management for them.

So it's very important for us to be comfortable while we work. For example,
our SQL Server guy should be able to access our client's SQL Server using
his workstation. He should be able to just use SQL Server Enterprise Manager
to pull up client's SQL Server and be able to create tables, etc.

Same thing applies to everyone in my company. We also manage our client's
Exchange server. We even do data entry for them. Like I said, the goal is to
keep our network separate AND protected but in the mean time, certain
individuals in my company/network should be able tap into the client's
network and network resources i.e. Exchange, SQL Server, applications, etc.
for them to be able to do their work.

Do you think a one-way trust relationship is the way to go? What about
routing? Again, physically, we are in the same building, same wiring, same
swithches. We will just have a separate logical network with a separate
forest. How would we tap into our client's network in a one way trust
relationship scenario? For instance, how would the SQL guy see our client's
SQL Server in his Enterprise manager if he's on a separate
domain/forest/subnet considering that our client's domain/forest trusts our
domain/forest.

Thanks for your help Steve.

Sam


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:zTOpc.60795$iF6.5423485@attbi_s02...
> Hi Sam.
>
> I think it makes sense to have a workstation on their domain/network. You
bring up
> the point about separate forests/subnets which tells me you probably don't
want to go
> into creating trusts between the forests, etc. The workstation does not
need to be
> fancy and you could share another monitor/keyboard/mouse from another
computer via a
> KVM switch if you want to save some space and money. If you go that route,
I would
> consider allowing only those who should administor the other domain to
logon to it
> using security policy user rights assignment - log on locally. --- Steve
>
> "Sam" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > We're also going to be maintaining our client's Exchange, SQL and some
other
> > apps.
> >
> > So we need to get into their network and do things comfortably. What do
you
> > think is the best way for us almost live in their network? I guess we
could
> > keep a workstation in their network that we can physically use.
> >
> > Just trying to figure out the most effective and comfortable way to
handle
> > this.
> >
> > Thanks,
> >
> > Sam
> >
> >
> > "Steven Umbach" <(E-Mail Removed)> wrote in message
> > news:v0xpc.8554$qA.931575@attbi_s51...
> > > Since the equipment will be in your office it would make sense to have
a
> > domain
> > > computer for their domain available to you connected to their subnet.
Just
> > make
> > > sure that it is hardened and physically secured to some degree as you
will
> > be
> > > logging onto it with domain admin credentials. You could configure
that
> > computer
> > > to access one of their domain controllers using Terminal Services
remote
> > > administration or installing Admipak on that computer to administer
the
> > domain.
> > > Another option would be to use one of your computers to use TS remote
> > > administration to access their domain through the ISA servers, though
that
> > would
> > > require configuration on their end to allow port 3389 access to the
proper
> > > computer on their lan. It would also open a hole in their firewall
unless
> > they
> > > have a vpn connection you can go through. I would not recommend
opening
> > port
> > > 3389 on their end unless you configure their firewall to only accept
port
> > 3389
> > > connections from your public IP address in order to reduce hacking
> > attempts.
> > >
> > >
> > > Should be no problem using their router and internet access. The ISA
> > servers
> > > will not allow uninitiated inbound access to each others public IP
address
> > > unless they are configured to allow it. --- Steve
> > >
> > > "Sam" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > Hi,
> > > >
> > > > We're in a situation where we will be in charge of at least one
other
> > > > network within the same building. We want to keep our Windows 2003
> > > > domain/forest completely separate and independent with it's own
subnet
> > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > >
> > > > 1. Maintain our client's network so we need to be able get into
their
> > > > network w/ admin rights whenever we need to. As a matter of fact,
their
> > > > equipment will physically be in our office. They have their own
Windows
> > 2000
> > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > >
> > > > 2. Use their router and T1s for our Internet connection as well. So
the
> > > > outside IPs of our ISA Server and their ISA Server will be in the
same
> > > > subnet.
> > > >
> > > > What is the best and most cost effective way to set this up?
> > > >
> > > > Thanks
> > > >
> > > > Sam
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain and they are
the trusting domain. I hesitate to recommend the best way to interconnect your
networks without having more experience on that end with larger networks. You may
want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with two nics] would
be the solution interconnecting the internal lans but since you say you are using
switches/logical networks there may be an easier way or even though the ISA servers
since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using wins for
network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers are also wins
clients. After the trust is set up you can add the appropriate users from your domain
to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve


http://www.microsoft.com/resources/d...tandTrusts.asp
http://tinyurl.com/2nbaf --- same link as above in case of wrap
http://support.microsoft.com/default...b;en-us;180094 -- lmhosts

"Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> First, thanks for your responses. I appreciate you taking the time to answer
> my questions.
>
> Now that you mentioned a trust relationship, it actually makes sense to do
> that. We are very intimate with our client. We also do a lot of application
> development and SQL Server management for them.
>
> So it's very important for us to be comfortable while we work. For example,
> our SQL Server guy should be able to access our client's SQL Server using
> his workstation. He should be able to just use SQL Server Enterprise Manager
> to pull up client's SQL Server and be able to create tables, etc.
>
> Same thing applies to everyone in my company. We also manage our client's
> Exchange server. We even do data entry for them. Like I said, the goal is to
> keep our network separate AND protected but in the mean time, certain
> individuals in my company/network should be able tap into the client's
> network and network resources i.e. Exchange, SQL Server, applications, etc.
> for them to be able to do their work.
>
> Do you think a one-way trust relationship is the way to go? What about
> routing? Again, physically, we are in the same building, same wiring, same
> swithches. We will just have a separate logical network with a separate
> forest. How would we tap into our client's network in a one way trust
> relationship scenario? For instance, how would the SQL guy see our client's
> SQL Server in his Enterprise manager if he's on a separate
> domain/forest/subnet considering that our client's domain/forest trusts our
> domain/forest.
>
> Thanks for your help Steve.
>
> Sam
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:zTOpc.60795$iF6.5423485@attbi_s02...
> > Hi Sam.
> >
> > I think it makes sense to have a workstation on their domain/network. You
> bring up
> > the point about separate forests/subnets which tells me you probably don't
> want to go
> > into creating trusts between the forests, etc. The workstation does not
> need to be
> > fancy and you could share another monitor/keyboard/mouse from another
> computer via a
> > KVM switch if you want to save some space and money. If you go that route,
> I would
> > consider allowing only those who should administor the other domain to
> logon to it
> > using security policy user rights assignment - log on locally. --- Steve
> >
> > "Sam" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > We're also going to be maintaining our client's Exchange, SQL and some
> other
> > > apps.
> > >
> > > So we need to get into their network and do things comfortably. What do
> you
> > > think is the best way for us almost live in their network? I guess we
> could
> > > keep a workstation in their network that we can physically use.
> > >
> > > Just trying to figure out the most effective and comfortable way to
> handle
> > > this.
> > >
> > > Thanks,
> > >
> > > Sam
> > >
> > >
> > > "Steven Umbach" <(E-Mail Removed)> wrote in message
> > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > Since the equipment will be in your office it would make sense to have
> a
> > > domain
> > > > computer for their domain available to you connected to their subnet.
> Just
> > > make
> > > > sure that it is hardened and physically secured to some degree as you
> will
> > > be
> > > > logging onto it with domain admin credentials. You could configure
> that
> > > computer
> > > > to access one of their domain controllers using Terminal Services
> remote
> > > > administration or installing Admipak on that computer to administer
> the
> > > domain.
> > > > Another option would be to use one of your computers to use TS remote
> > > > administration to access their domain through the ISA servers, though
> that
> > > would
> > > > require configuration on their end to allow port 3389 access to the
> proper
> > > > computer on their lan. It would also open a hole in their firewall
> unless
> > > they
> > > > have a vpn connection you can go through. I would not recommend
> opening
> > > port
> > > > 3389 on their end unless you configure their firewall to only accept
> port
> > > 3389
> > > > connections from your public IP address in order to reduce hacking
> > > attempts.
> > > >
> > > >
> > > > Should be no problem using their router and internet access. The ISA
> > > servers
> > > > will not allow uninitiated inbound access to each others public IP
> address
> > > > unless they are configured to allow it. --- Steve
> > > >
> > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed)...
> > > > > Hi,
> > > > >
> > > > > We're in a situation where we will be in charge of at least one
> other
> > > > > network within the same building. We want to keep our Windows 2003
> > > > > domain/forest completely separate and independent with it's own
> subnet
> > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > >
> > > > > 1. Maintain our client's network so we need to be able get into
> their
> > > > > network w/ admin rights whenever we need to. As a matter of fact,
> their
> > > > > equipment will physically be in our office. They have their own
> Windows
> > > 2000
> > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > >
> > > > > 2. Use their router and T1s for our Internet connection as well. So
> the
> > > > > outside IPs of our ISA Server and their ISA Server will be in the
> same
> > > > > subnet.
> > > > >
> > > > > What is the best and most cost effective way to set this up?
> > > > >
> > > > > Thanks
> > > > >
> > > > > Sam
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Hi Steve,

Thanks for the detailed answers. I do like the idea of using ISA boxes for
routing purposes also. I'll post some questions on ISA newsgroups also. This
would eliminate the need for a separate router or Windows box that acts as a
router.

I got a lot of ideas from your responses and do appreaciate your help very
much. Thanks so much.

Sam

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:2cQpc.60513$536.10255547@attbi_s03...
> Hi Sam.
>
> If you are going to have a number of users require access to the other
forest, then
> yes a one way trust would make sense where you are the trusted domain and
they are
> the trusting domain. I hesitate to recommend the best way to interconnect
your
> networks without having more experience on that end with larger networks.
You may
> want to post in the win2000.ras_routing newsgroup and
win2000.active_directory for
> more opinions on that. Usually a router [possibly a Windows box with two
nics] would
> be the solution interconnecting the internal lans but since you say you
are using
> switches/logical networks there may be an easier way or even though the
ISA servers
> since you are on the same external subnet. Gateways will have to be
configured on
> clients/routers possibly so that traffic to the other domain gets sent
there and back
> and not out to the internet router.
>
> Setting up the trust will require that the domains have dns name
resolution between
> them with either the use of "stub" zones or your dns servers in each
domain also
> being secondary dns servers for the opposite domain. If you are using wins
for
> network browsing, then configure the wins servers to be replication
partners with the
> wins servers in the other domain and make sure the domain controllers are
also wins
> clients. After the trust is set up you can add the appropriate users from
your domain
> to the appropriate groups in the other domain. The link below may be
helpful on
> setting up trusts and you may also try an lmhosts file for domain
authentication if
> you have trouble establishing the trust. --- Steve
>
>
>
http://www.microsoft.com/resources/d...tandTrusts.asp
> http://tinyurl.com/2nbaf --- same link as above in case of wrap
> http://support.microsoft.com/default...b;en-us;180094 -- lmhosts
>
> "Sam" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Steve,
> >
> > First, thanks for your responses. I appreciate you taking the time to
answer
> > my questions.
> >
> > Now that you mentioned a trust relationship, it actually makes sense to
do
> > that. We are very intimate with our client. We also do a lot of
application
> > development and SQL Server management for them.
> >
> > So it's very important for us to be comfortable while we work. For
example,
> > our SQL Server guy should be able to access our client's SQL Server
using
> > his workstation. He should be able to just use SQL Server Enterprise
Manager
> > to pull up client's SQL Server and be able to create tables, etc.
> >
> > Same thing applies to everyone in my company. We also manage our
client's
> > Exchange server. We even do data entry for them. Like I said, the goal
is to
> > keep our network separate AND protected but in the mean time, certain
> > individuals in my company/network should be able tap into the client's
> > network and network resources i.e. Exchange, SQL Server, applications,
etc.
> > for them to be able to do their work.
> >
> > Do you think a one-way trust relationship is the way to go? What about
> > routing? Again, physically, we are in the same building, same wiring,
same
> > swithches. We will just have a separate logical network with a separate
> > forest. How would we tap into our client's network in a one way trust
> > relationship scenario? For instance, how would the SQL guy see our
client's
> > SQL Server in his Enterprise manager if he's on a separate
> > domain/forest/subnet considering that our client's domain/forest trusts
our
> > domain/forest.
> >
> > Thanks for your help Steve.
> >
> > Sam
> >
> >
> > "Steven L Umbach" <(E-Mail Removed)> wrote in message
> > news:zTOpc.60795$iF6.5423485@attbi_s02...
> > > Hi Sam.
> > >
> > > I think it makes sense to have a workstation on their domain/network.
You
> > bring up
> > > the point about separate forests/subnets which tells me you probably
don't
> > want to go
> > > into creating trusts between the forests, etc. The workstation does
not
> > need to be
> > > fancy and you could share another monitor/keyboard/mouse from another
> > computer via a
> > > KVM switch if you want to save some space and money. If you go that
route,
> > I would
> > > consider allowing only those who should administor the other domain to
> > logon to it
> > > using security policy user rights assignment - log on locally. ---
Steve
> > >
> > > "Sam" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > We're also going to be maintaining our client's Exchange, SQL and
some
> > other
> > > > apps.
> > > >
> > > > So we need to get into their network and do things comfortably. What
do
> > you
> > > > think is the best way for us almost live in their network? I guess
we
> > could
> > > > keep a workstation in their network that we can physically use.
> > > >
> > > > Just trying to figure out the most effective and comfortable way to
> > handle
> > > > this.
> > > >
> > > > Thanks,
> > > >
> > > > Sam
> > > >
> > > >
> > > > "Steven Umbach" <(E-Mail Removed)> wrote in message
> > > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > > Since the equipment will be in your office it would make sense to
have
> > a
> > > > domain
> > > > > computer for their domain available to you connected to their
subnet.
> > Just
> > > > make
> > > > > sure that it is hardened and physically secured to some degree as
you
> > will
> > > > be
> > > > > logging onto it with domain admin credentials. You could configure
> > that
> > > > computer
> > > > > to access one of their domain controllers using Terminal Services
> > remote
> > > > > administration or installing Admipak on that computer to
administer
> > the
> > > > domain.
> > > > > Another option would be to use one of your computers to use TS
remote
> > > > > administration to access their domain through the ISA servers,
though
> > that
> > > > would
> > > > > require configuration on their end to allow port 3389 access to
the
> > proper
> > > > > computer on their lan. It would also open a hole in their firewall
> > unless
> > > > they
> > > > > have a vpn connection you can go through. I would not recommend
> > opening
> > > > port
> > > > > 3389 on their end unless you configure their firewall to only
accept
> > port
> > > > 3389
> > > > > connections from your public IP address in order to reduce hacking
> > > > attempts.
> > > > >
> > > > >
> > > > > Should be no problem using their router and internet access. The
ISA
> > > > servers
> > > > > will not allow uninitiated inbound access to each others public IP
> > address
> > > > > unless they are configured to allow it. --- Steve
> > > > >
> > > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > > news:(E-Mail Removed)...
> > > > > > Hi,
> > > > > >
> > > > > > We're in a situation where we will be in charge of at least one
> > other
> > > > > > network within the same building. We want to keep our Windows
2003
> > > > > > domain/forest completely separate and independent with it's own
> > subnet
> > > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > > >
> > > > > > 1. Maintain our client's network so we need to be able get into
> > their
> > > > > > network w/ admin rights whenever we need to. As a matter of
fact,
> > their
> > > > > > equipment will physically be in our office. They have their own
> > Windows
> > > > 2000
> > > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > > >
> > > > > > 2. Use their router and T1s for our Internet connection as well.
So
> > the
> > > > > > outside IPs of our ISA Server and their ISA Server will be in
the
> > same
> > > > > > subnet.
> > > > > >
> > > > > > What is the best and most cost effective way to set this up?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Sam
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Hi Sam.

OK. I have not spent much time with ISA, but you might want to look into the
possibility of configuring the ISA servers to have an ipsec tunnel between the
two networks/domains and whether or not that would be feasible. Good luck. ---
Steve

"Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> Thanks for the detailed answers. I do like the idea of using ISA boxes for
> routing purposes also. I'll post some questions on ISA newsgroups also. This
> would eliminate the need for a separate router or Windows box that acts as a
> router.
>
> I got a lot of ideas from your responses and do appreaciate your help very
> much. Thanks so much.
>
> Sam
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:2cQpc.60513$536.10255547@attbi_s03...
> > Hi Sam.
> >
> > If you are going to have a number of users require access to the other
> forest, then
> > yes a one way trust would make sense where you are the trusted domain and
> they are
> > the trusting domain. I hesitate to recommend the best way to interconnect
> your
> > networks without having more experience on that end with larger networks.
> You may
> > want to post in the win2000.ras_routing newsgroup and
> win2000.active_directory for
> > more opinions on that. Usually a router [possibly a Windows box with two
> nics] would
> > be the solution interconnecting the internal lans but since you say you
> are using
> > switches/logical networks there may be an easier way or even though the
> ISA servers
> > since you are on the same external subnet. Gateways will have to be
> configured on
> > clients/routers possibly so that traffic to the other domain gets sent
> there and back
> > and not out to the internet router.
> >
> > Setting up the trust will require that the domains have dns name
> resolution between
> > them with either the use of "stub" zones or your dns servers in each
> domain also
> > being secondary dns servers for the opposite domain. If you are using wins
> for
> > network browsing, then configure the wins servers to be replication
> partners with the
> > wins servers in the other domain and make sure the domain controllers are
> also wins
> > clients. After the trust is set up you can add the appropriate users from
> your domain
> > to the appropriate groups in the other domain. The link below may be
> helpful on
> > setting up trusts and you may also try an lmhosts file for domain
> authentication if
> > you have trouble establishing the trust. --- Steve
> >
> >
> >
>
http://www.microsoft.com/resources/d...tandTrusts.asp
> > http://tinyurl.com/2nbaf --- same link as above in case of wrap
> > http://support.microsoft.com/default...b;en-us;180094 -- lmhosts
> >
> > "Sam" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi Steve,
> > >
> > > First, thanks for your responses. I appreciate you taking the time to
> answer
> > > my questions.
> > >
> > > Now that you mentioned a trust relationship, it actually makes sense to
> do
> > > that. We are very intimate with our client. We also do a lot of
> application
> > > development and SQL Server management for them.
> > >
> > > So it's very important for us to be comfortable while we work. For
> example,
> > > our SQL Server guy should be able to access our client's SQL Server
> using
> > > his workstation. He should be able to just use SQL Server Enterprise
> Manager
> > > to pull up client's SQL Server and be able to create tables, etc.
> > >
> > > Same thing applies to everyone in my company. We also manage our
> client's
> > > Exchange server. We even do data entry for them. Like I said, the goal
> is to
> > > keep our network separate AND protected but in the mean time, certain
> > > individuals in my company/network should be able tap into the client's
> > > network and network resources i.e. Exchange, SQL Server, applications,
> etc.
> > > for them to be able to do their work.
> > >
> > > Do you think a one-way trust relationship is the way to go? What about
> > > routing? Again, physically, we are in the same building, same wiring,
> same
> > > swithches. We will just have a separate logical network with a separate
> > > forest. How would we tap into our client's network in a one way trust
> > > relationship scenario? For instance, how would the SQL guy see our
> client's
> > > SQL Server in his Enterprise manager if he's on a separate
> > > domain/forest/subnet considering that our client's domain/forest trusts
> our
> > > domain/forest.
> > >
> > > Thanks for your help Steve.
> > >
> > > Sam
> > >
> > >
> > > "Steven L Umbach" <(E-Mail Removed)> wrote in message
> > > news:zTOpc.60795$iF6.5423485@attbi_s02...
> > > > Hi Sam.
> > > >
> > > > I think it makes sense to have a workstation on their domain/network.
> You
> > > bring up
> > > > the point about separate forests/subnets which tells me you probably
> don't
> > > want to go
> > > > into creating trusts between the forests, etc. The workstation does
> not
> > > need to be
> > > > fancy and you could share another monitor/keyboard/mouse from another
> > > computer via a
> > > > KVM switch if you want to save some space and money. If you go that
> route,
> > > I would
> > > > consider allowing only those who should administor the other domain to
> > > logon to it
> > > > using security policy user rights assignment - log on locally. ---
> Steve
> > > >
> > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed)...
> > > > > We're also going to be maintaining our client's Exchange, SQL and
> some
> > > other
> > > > > apps.
> > > > >
> > > > > So we need to get into their network and do things comfortably. What
> do
> > > you
> > > > > think is the best way for us almost live in their network? I guess
> we
> > > could
> > > > > keep a workstation in their network that we can physically use.
> > > > >
> > > > > Just trying to figure out the most effective and comfortable way to
> > > handle
> > > > > this.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Sam
> > > > >
> > > > >
> > > > > "Steven Umbach" <(E-Mail Removed)> wrote in message
> > > > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > > > Since the equipment will be in your office it would make sense to
> have
> > > a
> > > > > domain
> > > > > > computer for their domain available to you connected to their
> subnet.
> > > Just
> > > > > make
> > > > > > sure that it is hardened and physically secured to some degree as
> you
> > > will
> > > > > be
> > > > > > logging onto it with domain admin credentials. You could configure
> > > that
> > > > > computer
> > > > > > to access one of their domain controllers using Terminal Services
> > > remote
> > > > > > administration or installing Admipak on that computer to
> administer
> > > the
> > > > > domain.
> > > > > > Another option would be to use one of your computers to use TS
> remote
> > > > > > administration to access their domain through the ISA servers,
> though
> > > that
> > > > > would
> > > > > > require configuration on their end to allow port 3389 access to
> the
> > > proper
> > > > > > computer on their lan. It would also open a hole in their firewall
> > > unless
> > > > > they
> > > > > > have a vpn connection you can go through. I would not recommend
> > > opening
> > > > > port
> > > > > > 3389 on their end unless you configure their firewall to only
> accept
> > > port
> > > > > 3389
> > > > > > connections from your public IP address in order to reduce hacking
> > > > > attempts.
> > > > > >
> > > > > >
> > > > > > Should be no problem using their router and internet access. The
> ISA
> > > > > servers
> > > > > > will not allow uninitiated inbound access to each others public IP
> > > address
> > > > > > unless they are configured to allow it. --- Steve
> > > > > >
> > > > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > > > news:(E-Mail Removed)...
> > > > > > > Hi,
> > > > > > >
> > > > > > > We're in a situation where we will be in charge of at least one
> > > other
> > > > > > > network within the same building. We want to keep our Windows
> 2003
> > > > > > > domain/forest completely separate and independent with it's own
> > > subnet
> > > > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > > > >
> > > > > > > 1. Maintain our client's network so we need to be able get into
> > > their
> > > > > > > network w/ admin rights whenever we need to. As a matter of
> fact,
> > > their
> > > > > > > equipment will physically be in our office. They have their own
> > > Windows
> > > > > 2000
> > > > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > > > >
> > > > > > > 2. Use their router and T1s for our Internet connection as well.
> So
> > > the
> > > > > > > outside IPs of our ISA Server and their ISA Server will be in
> the
> > > same
> > > > > > > subnet.
> > > > > > >
> > > > > > > What is the best and most cost effective way to set this up?
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > > Sam
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Thanks Steve... I might come back for some more questions...

Sam

"Steven Umbach" <(E-Mail Removed)> wrote in message
news:QASpc.103563$Ik.8304523@attbi_s53...
> Hi Sam.
>
> OK. I have not spent much time with ISA, but you might want to look into
the
> possibility of configuring the ISA servers to have an ipsec tunnel between
the
> two networks/domains and whether or not that would be feasible. Good
uck. ---
> Steve
>
> "Sam" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Steve,
> >
> > Thanks for the detailed answers. I do like the idea of using ISA boxes
for
> > routing purposes also. I'll post some questions on ISA newsgroups also.
This
> > would eliminate the need for a separate router or Windows box that acts
as a
> > router.
> >
> > I got a lot of ideas from your responses and do appreaciate your help
very
> > much. Thanks so much.
> >
> > Sam
> >
> > "Steven L Umbach" <(E-Mail Removed)> wrote in message
> > news:2cQpc.60513$536.10255547@attbi_s03...
> > > Hi Sam.
> > >
> > > If you are going to have a number of users require access to the other
> > forest, then
> > > yes a one way trust would make sense where you are the trusted domain
and
> > they are
> > > the trusting domain. I hesitate to recommend the best way to
interconnect
> > your
> > > networks without having more experience on that end with larger
networks.
> > You may
> > > want to post in the win2000.ras_routing newsgroup and
> > win2000.active_directory for
> > > more opinions on that. Usually a router [possibly a Windows box with
two
> > nics] would
> > > be the solution interconnecting the internal lans but since you say
you
> > are using
> > > switches/logical networks there may be an easier way or even though
the
> > ISA servers
> > > since you are on the same external subnet. Gateways will have to be
> > configured on
> > > clients/routers possibly so that traffic to the other domain gets sent
> > there and back
> > > and not out to the internet router.
> > >
> > > Setting up the trust will require that the domains have dns name
> > resolution between
> > > them with either the use of "stub" zones or your dns servers in each
> > domain also
> > > being secondary dns servers for the opposite domain. If you are using
wins
> > for
> > > network browsing, then configure the wins servers to be replication
> > partners with the
> > > wins servers in the other domain and make sure the domain controllers
are
> > also wins
> > > clients. After the trust is set up you can add the appropriate users
from
> > your domain
> > > to the appropriate groups in the other domain. The link below may be
> > helpful on
> > > setting up trusts and you may also try an lmhosts file for domain
> > authentication if
> > > you have trouble establishing the trust. --- Steve
> > >
> > >
> > >
> >
>
http://www.microsoft.com/resources/d...tandTrusts.asp
> > > http://tinyurl.com/2nbaf --- same link as above in case of wrap
> > > http://support.microsoft.com/default...b;en-us;180094 --
lmhosts
> > >
> > > "Sam" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > Hi Steve,
> > > >
> > > > First, thanks for your responses. I appreciate you taking the time
to
> > answer
> > > > my questions.
> > > >
> > > > Now that you mentioned a trust relationship, it actually makes sense
to
> > do
> > > > that. We are very intimate with our client. We also do a lot of
> > application
> > > > development and SQL Server management for them.
> > > >
> > > > So it's very important for us to be comfortable while we work. For
> > example,
> > > > our SQL Server guy should be able to access our client's SQL Server
> > using
> > > > his workstation. He should be able to just use SQL Server Enterprise
> > Manager
> > > > to pull up client's SQL Server and be able to create tables, etc.
> > > >
> > > > Same thing applies to everyone in my company. We also manage our
> > client's
> > > > Exchange server. We even do data entry for them. Like I said, the
goal
> > is to
> > > > keep our network separate AND protected but in the mean time,
certain
> > > > individuals in my company/network should be able tap into the
client's
> > > > network and network resources i.e. Exchange, SQL Server,
applications,
> > etc.
> > > > for them to be able to do their work.
> > > >
> > > > Do you think a one-way trust relationship is the way to go? What
about
> > > > routing? Again, physically, we are in the same building, same
wiring,
> > same
> > > > swithches. We will just have a separate logical network with a
separate
> > > > forest. How would we tap into our client's network in a one way
trust
> > > > relationship scenario? For instance, how would the SQL guy see our
> > client's
> > > > SQL Server in his Enterprise manager if he's on a separate
> > > > domain/forest/subnet considering that our client's domain/forest
trusts
> > our
> > > > domain/forest.
> > > >
> > > > Thanks for your help Steve.
> > > >
> > > > Sam
> > > >
> > > >
> > > > "Steven L Umbach" <(E-Mail Removed)> wrote in message
> > > > news:zTOpc.60795$iF6.5423485@attbi_s02...
> > > > > Hi Sam.
> > > > >
> > > > > I think it makes sense to have a workstation on their
domain/network.
> > You
> > > > bring up
> > > > > the point about separate forests/subnets which tells me you
probably
> > don't
> > > > want to go
> > > > > into creating trusts between the forests, etc. The workstation
does
> > not
> > > > need to be
> > > > > fancy and you could share another monitor/keyboard/mouse from
another
> > > > computer via a
> > > > > KVM switch if you want to save some space and money. If you go
that
> > route,
> > > > I would
> > > > > consider allowing only those who should administor the other
domain to
> > > > logon to it
> > > > > using security policy user rights assignment - log on
ocally. ---
> > Steve
> > > > >
> > > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > > news:(E-Mail Removed)...
> > > > > > We're also going to be maintaining our client's Exchange, SQL
and
> > some
> > > > other
> > > > > > apps.
> > > > > >
> > > > > > So we need to get into their network and do things comfortably.
What
> > do
> > > > you
> > > > > > think is the best way for us almost live in their network? I
guess
> > we
> > > > could
> > > > > > keep a workstation in their network that we can physically use.
> > > > > >
> > > > > > Just trying to figure out the most effective and comfortable way
to
> > > > handle
> > > > > > this.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Sam
> > > > > >
> > > > > >
> > > > > > "Steven Umbach" <(E-Mail Removed)> wrote in message
> > > > > > news:v0xpc.8554$qA.931575@attbi_s51...
> > > > > > > Since the equipment will be in your office it would make sense
to
> > have
> > > > a
> > > > > > domain
> > > > > > > computer for their domain available to you connected to their
> > subnet.
> > > > Just
> > > > > > make
> > > > > > > sure that it is hardened and physically secured to some degree
as
> > you
> > > > will
> > > > > > be
> > > > > > > logging onto it with domain admin credentials. You could
configure
> > > > that
> > > > > > computer
> > > > > > > to access one of their domain controllers using Terminal
Services
> > > > remote
> > > > > > > administration or installing Admipak on that computer to
> > administer
> > > > the
> > > > > > domain.
> > > > > > > Another option would be to use one of your computers to use TS
> > remote
> > > > > > > administration to access their domain through the ISA servers,
> > though
> > > > that
> > > > > > would
> > > > > > > require configuration on their end to allow port 3389 access
to
> > the
> > > > proper
> > > > > > > computer on their lan. It would also open a hole in their
firewall
> > > > unless
> > > > > > they
> > > > > > > have a vpn connection you can go through. I would not
recommend
> > > > opening
> > > > > > port
> > > > > > > 3389 on their end unless you configure their firewall to only
> > accept
> > > > port
> > > > > > 3389
> > > > > > > connections from your public IP address in order to reduce
hacking
> > > > > > attempts.
> > > > > > >
> > > > > > >
> > > > > > > Should be no problem using their router and internet access.
The
> > ISA
> > > > > > servers
> > > > > > > will not allow uninitiated inbound access to each others
public IP
> > > > address
> > > > > > > unless they are configured to allow it. --- Steve
> > > > > > >
> > > > > > > "Sam" <(E-Mail Removed)> wrote in message
> > > > > > > news:(E-Mail Removed)...
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > We're in a situation where we will be in charge of at least
one
> > > > other
> > > > > > > > network within the same building. We want to keep our
Windows
> > 2003
> > > > > > > > domain/forest completely separate and independent with it's
own
> > > > subnet
> > > > > > > > 10.1.x.x and ISA Server but we have to do 2 things:
> > > > > > > >
> > > > > > > > 1. Maintain our client's network so we need to be able get
into
> > > > their
> > > > > > > > network w/ admin rights whenever we need to. As a matter of
> > fact,
> > > > their
> > > > > > > > equipment will physically be in our office. They have their
own
> > > > Windows
> > > > > > 2000
> > > > > > > > forest, subnet -- 10.10.x.x -- and ISA Server, etc.
> > > > > > > >
> > > > > > > > 2. Use their router and T1s for our Internet connection as
well.
> > So
> > > > the
> > > > > > > > outside IPs of our ISA Server and their ISA Server will be
in
> > the
> > > > same
> > > > > > > > subnet.
> > > > > > > >
> > > > > > > > What is the best and most cost effective way to set this up?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > > Sam
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>