child domain

[Guest]

Hi
i have a win2k lab setup where i have created a domain.local and a
child.domain.local. I can see the parent from the child and vice versa, i can
browse both from either one. my ? is I can not log into the child with
credentails supplied from the parent for instance if i try to log into the
child with user name/password/from parent, but into child domain it tells me
i can not do that. Should I not be able to do that? my goal is to setup our
plant in china as a child thru our vpn. is there a KB on how to do this
properly?

 

[Jorge Silva]

Hi

if i try to log into the
child with user name/password/from parent, but into child domain it tells
me
i can not do that.

You need to select the domain were the account is in.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

[Guest]

yeah i kinda figured that but is there a way for me to create the account in
the parent and replicate that to the child?

 

[Jorge Silva]

Hi

yeah i kinda figured that but is there a way for me to create the account
in
the parent and replicate that to the child?

- Why you would want do that?
- Users are domain wide only, they belong to local domain, the best you
could do is make the users members of other domain security group.
- Before creating new domains you should consider why you want to add a new
domain...
You should create multiple domains to:

Meet security requirements.

Meet administrative requirements.

Optimize replication traffic.

Retain Microsoft Windows NT domains.



Do not create multiple domains to accommodate polarized groups or for
isolated resources that are not easily assimilated into other domains. Both
the groups and the resources are usually better candidates for
organizational units (OUs).




--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

[Guest]

I am confused why would you not create a child domain? would it not be better
to have a child domain? that way all the workstations at the remote site log
into the child instead of having them log into the parent via the tunnel. or
is that not what you are saying? I just thought if you create the child and
then allow them to log on locally to the parent through domain controller
security policy everything should work considering there would be a 2 way
trust being established. this way the users at the remote site should be able
to access resources off the parent. am I not correct?

 

[Jorge Silva]

InLine

I am confused why would you not create a child domain?

Unless the reasons that a gave you.

would it not be better
to have a child domain?
that way all the workstations at the remote site log
into the child instead of having them log into the parent via the tunnel.
or
is that not what you are saying?

You can have an aditional DC for an existent domain in your remote site.
Configure the apropriate subnet for that site, make it a GC, make it a DNS
server, all users /computers will only use that server for authentication,
AD searches, etc.

If you have the need to delegate permissions to Admins on the remote site
for example, you can create an OU with the name of the site, than create sub
OUs to place all computers, users, security groups,etc. Then Just use
delegation wizard.

Adding more domains most of the times just gives you more administrative
work.

One of the main reasons why you should have an aditional domain is related
with different security needs. For example you can only have one Password
policy per domain. For example If you wanted that users on Site1 used
minimum password lengh of 6 chars and on Site2 minimum password lengh of 15,
this is only possible in two different domains, because you can only have
one Password policy per domain.

I just thought if you create the child and
then allow them to log on locally to the parent through domain controller
security policy everything should work considering there would be a 2 way
trust being established. this way the users at the remote site should be
able
to access resources off the parent. am I not correct?

A Transitive ParentChild trust is implicity created when you add the child
to the domain.
Yes. Users can access to the parent domain with the child credentials of
course, or using UPN logon ([email protected]), in this way you don't need
to select the domain because UPN logon must be Unic in the forest.



--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator