Differnces in Trusts

[Buzz]

Hi,

Could anyone please point me in the correct direction. I'll firstly try
and explain what i've done. We are in the early stages of moving our
production servers from our office to a datacentre. Our current domain
is windows 2000 in the name schema is in the format of
locationa.domain.com.

I then created a new windows 2003 domain at the new site with the name
locationab.domain.com. the network team created a tunnel between the two
sites. In locationb i created secondary dns server with a copy of the
locationa dns and visa-versa at location a.

I have created external trusts between the two domains.

Now to the question Is there much of a different in creating the
above and option when you DCPROMO add a new domain to an existing forest?

Thanks

Bryn

 

[Herb Martin]

Hi,

Could anyone please point me in the correct direction. I'll firstly try
and explain what i've done. We are in the early stages of moving our
production servers from our office to a datacentre. Our current domain
is windows 2000 in the name schema is in the format of
locationa.domain.com.

I then created a new windows 2003 domain at the new site with the name
locationab.domain.com. the network team created a tunnel between the two
sites. In locationb i created secondary dns server with a copy of the
locationa dns and visa-versa at location a.

Ok, so they can find each other due to the "cross secondaries."

I have created external trusts between the two domains.

So these domains are NOT in the same forest?

You don't need external trusts if they are in the same forest.

And if you NEED the external trusts, then you need NetBIOS
name resolution to work. Through routers (VPN etc.) you have
described you will also need WINS Server to help NetBIOS
work.

Now to the question Is there much of a different in creating the
above and option when you DCPROMO add a new domain to an existing forest?

Yes. Domain trusts within a forest are automatic,
two way, transitive (to any child etc domains) while
external trusts are one way, manual, and intransitive.

External trusts also require NetBIOS name resolution,
while the automatic domain trusts do not.

There are other (non-trust) implications to having
multiple forests of course: different schemas, different
sites and service Configuration partition, different GCs,
different Enterprise Admins, authorization of DHCP
servers, etc.

 

[ptwilliams]

Is there much of a different in creating the above and option when you

DCPROMO add a new domain to an existing forest?

When you add another domain to the existing forest you share a common schema
and configuration (sites, services, etc.). You are also governed by the
root domain and can, be exploited by clever and unhappy IT people ;-)

When you create a new domain in new forest like you have, you have nothing
in common with the other domain other than the external trust you have
setup. You do not share a common schema or configuration.

The security aspect is always debatable if admins can't be trusted, or if
your so wide open people can run interactively on in your network...

 

[Buzz]

When you add another domain to the existing forest you share a common schema
and configuration (sites, services, etc.). You are also governed by the
root domain and can, be exploited by clever and unhappy IT people ;-)

When you create a new domain in new forest like you have, you have nothing
in common with the other domain other than the external trust you have
setup. You do not share a common schema or configuration.

The security aspect is always debatable if admins can't be trusted, or if
your so wide open people can run interactively on in your network...

Thanks for the reply, i thought you only shared the same schema if you
had the same domain structure and were child domains from the same root
domain?

So are you saying that manually creating the trusts in "domains and
trusts" is the same as the option to "create a new domain in new forest"
when using DCPROMO?...sorry i didn't explain myself correctly in the
original question

 

[Buzz]

Ok, so they can find each other due to the "cross secondaries."




So these domains are NOT in the same forest?

You don't need external trusts if they are in the same forest.

And if you NEED the external trusts, then you need NetBIOS
name resolution to work. Through routers (VPN etc.) you have
described you will also need WINS Server to help NetBIOS
work.





Yes. Domain trusts within a forest are automatic,
two way, transitive (to any child etc domains) while
external trusts are one way, manual, and intransitive.

External trusts also require NetBIOS name resolution,
while the automatic domain trusts do not.

There are other (non-trust) implications to having
multiple forests of course: different schemas, different
sites and service Configuration partition, different GCs,
different Enterprise Admins, authorization of DHCP
servers, etc.

Hi Herb,

Thanks for the reply, i understand what your saying i think this is the
issue i am having. Ok, so i haven't gone very far down this road if i
were to dcpromo and remove AD and re-install with the option of "domain
tree and an existing forest" can i install exchange 2003 in the newsite
and migrate the users over? we have exchange 2000 in the old domain.

Thanks

Hywel

 

[Herb Martin]

Hi Herb,

Thanks for the reply, i understand what your saying i think this is the
issue i am having. Ok, so i haven't gone very far down this road if i
were to dcpromo and remove AD and re-install with the option of "domain
tree and an existing forest" can i install exchange 2003 in the newsite
and migrate the users over?

Well, see, but you can do it either -- migration is possible
cross forests if you fixup the external trusts.

One also wonders why you put "site" names in your Domain
DNS names.

we have exchange 2000 in the old domain.

You could just upgrade too and then all this migration would
be unnecessary.

Generally, one should NOT pick a domain that will ever
change.

 

[Herb Martin]

Thanks for the reply, i thought you only shared the same schema if you
had the same domain structure and were child domains from the same root
domain?

Every domain in the forest shares a schema since
the schema is a forest wide resource.

It doesn't matter if you are in the same DNS tree or
not if the forest is a single one there is only one schema.

As to domain "structure" -- the schema are the rules
about that structure, what you can and cannot, or must
do when creating a particular domain structure.

So are you saying that manually creating the trusts in "domains and
trusts" is the same as the option to "create a new domain in new forest"

No, but if you didn't create it in a separate forest there
would be practically no reason to create an extra (and
external) trust.

Trusts are automatic within the same forest.

when using DCPROMO?...sorry i didn't explain myself correctly in the
original question

It made good sense -- why you are doing it is
harder to understand.

 

[ptwilliams]

Herb's sorted all your questions, so I'll just reiterate that within a
forest all needed trusts are created for you automatically. You can create
shortcut trusts, but that is only really needed when you've got deep domain
trees, for example.

Now that you've realised that you've got two forests, and you only want one,
there are some considerations you need to think about -particularly with
Exchange. Remember there's only one exchange organisation per forest, and
in order to migrate your domain needs to be in native mode. If you are
migrating mailboxes, you might want to consider using the exchange migration
wizard, as opposed to ADMT, for the mailboxes. MS have actually dropped the
mailbox migration feature from the next version of ADMT because they weren't
happy with its performance...

 

[Herb Martin]

Herb's sorted all your questions, so I'll just reiterate that within a
forest all needed trusts are created for you automatically. You can create
shortcut trusts, but that is only really needed when you've got deep domain
trees, for example.

Sometime we should talk about "shortcut" trusts.

(Most of the books don't understand the REAL
reasons for using them.)