Advice about AD domain organisation

[sam]

Hi,

I administer a network for 2 companies, owned by a single holding
company (25 employees). Although both officially separate they share
common departments e.g. Accounts, Tech support, Marketing etc.

At the moment I have 2 domains a DMZ domain (companyname.co.uk, native
mode) with a single [web] server, and another domain
(holdingcompanyname.com, mixed mode with 1 DC, 4 servers and 25
clients). There is a one way trust set up at the moment, allowing
anyone in holdingcompanyname.com to connect to resources on the web
server in companyname.co.uk.

I was wondering is this the correct way to organize the domain or
should I make the dmz domain a child domain of holdingcompanyname.com?

Also, should I put the domains on separate subnets for extra security?
And if so, how do I set up a trust across a subnet?

The dmz domain was set up a long time ago and the other domain was a
recent migration, does this mean I have a forest, and
companyname.co.uk is the forest root – if so what tools do I use to
view/administer the entire forest.

Thanks for any help, I'm new to all this.

 

[Richard Moreno]

Hi Sam-

Currently you have 2 Forests and 1 One-Way Inter-Forest Trust between them.
You cannot merge these 2 forests as they have different root names. When the
recent migration was done for the .com domain it was the best time to
determine if you wanted a single forest or not. A Forest allow you to have a
separate Schema and Global Catalog (GC). If you believe that the 2 companies
would never have needed separate schemas (dependant on their business needs,
software differences, etc.) then it would have been best to have the 2nd
domain as a child domain to the 1st.

Your new option is to migrate both these forests (domains) into an entirely
new forest (if you so decide and want to have an easier administrative
model.)

Putting these domains on separate subnets can increase security only if
these subnets don't talk to each other. If you want to maintain a trust
between the forests while these forests are on separate subnets you may want
to read this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

However, in my opinion, since there are resources that need to be accessed
from one to another I would leave the networking model as is.

Tools to use to manage the forests are as follows:

AD Users and Computers (manages all user, computer, group objects for each
forest (separately) as well as your FSMO roles)
AD Sites and Services (manage site topology , GC config, and various AD
Services)
AD Domains and Trusts (managed trusts, forest, and FSMO roles)

Hope this helps.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi,

I administer a network for 2 companies, owned by a single holding
company (25 employees). Although both officially separate they share
common departments e.g. Accounts, Tech support, Marketing etc.

At the moment I have 2 domains a DMZ domain (companyname.co.uk, native
mode) with a single [web] server, and another domain
(holdingcompanyname.com, mixed mode with 1 DC, 4 servers and 25
clients). There is a one way trust set up at the moment, allowing
anyone in holdingcompanyname.com to connect to resources on the web
server in companyname.co.uk.

I was wondering is this the correct way to organize the domain or
should I make the dmz domain a child domain of holdingcompanyname.com?

Also, should I put the domains on separate subnets for extra security?
And if so, how do I set up a trust across a subnet?

The dmz domain was set up a long time ago and the other domain was a
recent migration, does this mean I have a forest, and
companyname.co.uk is the forest root - if so what tools do I use to
view/administer the entire forest.

Thanks for any help, I'm new to all this.