Can Root domain DC's authenticate for child domain users?

[wsmith]

Here is my situation.

One top level domain: alpha.com
3 child domains:
beta.alpha.com
gamma.alpha.com
delta.alpha.com

Currently have 42 sites in a Metro network. Top level domain and all
3 child domains have a presence in all 42 sites. I.e. users for each
domain at each site.

Root domain alpha.com is Windows server 2003.
Child domains are some Windows server 2000 and 2003 mixed.
Running in mixed mode.

Do I need a DC for each domain at each site? or can a DC from the top
level domain handle authentication for the child domains?

I will be setting these DC's up for fault tolerance during network
outtages, and would prefer to deploy one DC for each site rather than
3 at each site.

Any tips are much appreciated.
Thank you.
Will Smith.

 

[wsmith]

Anyone have any idea? Really trying to find out if I need multiple
DC's or just one for each site.

Thanks for any help.

 

[Enkidu]

You asked for ideas, and so, this is mine but I'm not absolutely sure.
(I only have one Domain) A Domain is a security boundary, so I would
say that, no, each Domain user would be authenticated by his/her DCs
and no others.

Cheers,

Cliff

(MVP)

 

[Cary Shultz [A.D. MVP]]

Cliff,

I will second this. If you think about it the user account for 'john peter
lewis' is in DomainA. DomainA has two DCs: DC1a and DC2a. None of the
other Domains know about 'john peter lewis' so there is no really way that I
can see that any DC outside of DomainA could possibly authenticate him.

Cary

 

[wsmith]

Cliff,

I will second this. If you think about it the user account for 'john peter
lewis' is in DomainA. DomainA has two DCs: DC1a and DC2a. None of the
other Domains know about 'john peter lewis' so there is no really way that I
can see that any DC outside of DomainA could possibly authenticate him.

Cary

Thanks for the input. I tend to agree with your assessment. It makes
sense since alpha.com does not know about users in beta.alpha.com,
gamma.alpha.com, and delta.alpha.com.