Multi-site domain Vs Forest trust

A

Aaron Seet

Sorry if the title sounded confusing to you. Here's the scenario:

We have an existing domain powering our LAN and user base. This domain is
actually also providing AD services for the tuition centre we're located in.
Soon this tuition centre is opening a new branch and the plan is to have
that branch office access servers and resources here as seamlessly as
possible.

Initial thought was to establish a second DC and locate it there, resulting
in 2 sites. Believe the option of linking the 2 sites together is with
router-router VPN - the exact consideration isn't finalised due to the
complications arising from using static ADSL connections for Internet
access.

But that will be another topic; the primary issue I'm focusing here is -
Since effectively this _is_ just gonna be the tuition centre's machine,
should we in fact setup a new forest/domain under the centre's own company
domain, then establish a forest trust to our existing domain?

The VPN networking issue aside, which path would be more painful
administratively? Your opinions?
 
R

Rick

To me I see no compelling reason to do multiple forest. You could create a
child domain if you wanted on the separate site but unless you need to
segment them into a separate security policy. The only security policy I can
think of right now would be different password policies as this is on a per
domain basis. All of that being said if it was me I would create a new site
and move a DC into it. I would also set that DC up as a GC so that if the
link goes down users will still be able to authenticate. MS suggest each
site have one GC and two DC's. It is also good practice to place a DNS
server at each site. If you make the DNS ad integrated it will replicate
according to the Domain replication policy. Hope this helps if you have more
questions post them.



Rick
 
G

Guest

Hi, placing another DC in a second site will be far
easier.
The main point to consider is who is going to administer
both the sites? If it is to be done by 2 seperate entitys
who dont trust each other then consider creating a
seperate forest or domain. If the same team is
responsible for both then another site in the same domain
should be ok. Dont forget you can use OUs to delagate
administration.

Pete - MS engineer
 
A

Aaron Seet

Even if we're technically 2 separate companies? They are riding on our
domain and servers now y'see. We are officially not "present" in the new
branch. I am worried if future operations will have them deeply rooted in
our domain, so whether it's wise for them to begin their own domain now, but
still access our existing domain resources seamlessly.

OR, it's more prudent to just setup second DC/Site and plan for separate
domain only when things approach out of control in the future? (The
implications?)


--
The melody of logic will always play out the truth.
- Narumi Ayumu, Spiral


..... You could create a child domain .....
 
R

Rick

That is completely different. I should have looked at that more closely. The
answer is absolutely two forest with trust. even if you create a child
domain it would create a large mess if you ever severed you ties with them.
No so much for you if you the root forest as you can always delete the child
and clean up the meta data. It would be in the tuition centre's best intrest
for them to have a seperate forest.
 
S

Steve BUckley

There is no real reason why you need a new domain or
forest - the whole point of 2000 and up is that you can
consolidate into a single domain.
The only reasons you would really ever need to install a
child domain would be political more than technical - all
the functionality that people associate with separate
domains are available through the use of OUs.
 
M

Mark Mancini

With AD there is seperation between physical and logical unlike NT4.
domains should only be created b/c of a handful of situations. Sites, are
different...they are physical, not logical. You need to understnad the
why's of AD for proper planning.
 
A

Aaron Seet

I'm sorry I failed to make the question clearer. Yes, we are concerned about
the administrative workload, but my focus also has to do with the
business/politcal landscape: Is it a sound business plan to intermingle the
operations of these 2 companies?

They are very tightly related, one owned by husband and the other by wife.
Our company implements IT services for the learning centre (thus riding on
our machines/network). We won't exist in the 2nd centre, only them. But the
tuition staff will exist in both offices so if it's a multi-forest structure
they must be able to logon either places and access resources/files
seamlessly.

From the advice/opinions gathered so far, it _shouldn't_ be too much of a
problem implementing a 2nd DC/site first, then plan for a separation of
forest as operational complication starts seeping in.


Thanks,
Aaron
--
The melody of logic will always play out the truth.
- Narumi Ayumu, Spiral


With AD there is seperation between physical and logical unlike NT4.
domains should only be created b/c of a handful of situations. Sites, are
different...they are physical, not logical. You need to understnad the
why's of AD for proper planning.
 
A

Aaron Seet

First of all thank you for the suggestions & hints putting me in a forward
direction. Here's a report of what I'm experimented with [success] so far:

For simplicity's sake my company is called coy1.com and the centre is
coy2.com.

The forest root domain is corporate.coy1.com (only coy1.com is publicly
visible). I have setup the second DC to run a new tree corporate.coy2.com.
Both are configured with RRAS for router-router VPN. After much VPN fiddling
yesterday & today, I won't detail here for focus on AD alone, I've finally
got it to communicate bi-directionally between the office & home LANs. Yes,
I'm testing this at home right now.

So it goes Site1: dc1.corporate.coy1.com <--VPN--> Site2:
dc2.corporate.coy2.com

I can marvelously join corporate.coy1.com domain with my home PC (Site2) and
almost everything appears to work as though they are all in one same happy
wire. Almost, that is. There are some notable complaints in the Directory
Services event log, which I believe is due to the lack of a coy1.com DC in
Site2:

Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 12/25/2003
Time: 21:32:12
User: N/A
Computer: NARU
Description:
The Directory Service consistency checker has determined that either (a)
there is not enough physical connectivity published via the Active Directory
Sites and Services Manager to create a spanning tree connecting all the
sites containing the Partition CN=Configuration,DC=corporate,DC=coy1,DC=com,
or (b) replication cannot be performed with one or more critical servers in
order for changes to propagate across all sites (most often due to the
servers being unreachable).

For (a), please use the Active Directory Sites and Services Manager to do
one of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site. This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the Par
tition CN=Configuration,DC=corporate,DC=coy1,DC=com in this site from a
Domain Controller that contains the same Partition in another site.

For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.



Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1566
Date: 12/25/2003
Time: 21:32:12
User: N/A
Computer: NARU
Description:
All servers in site
CN=Parkway,CN=Sites,CN=Configuration,DC=corporate,DC=coy1,DC=com that can
replicate partition CN=Configuration,DC=corporate,DC=coy1,DC=com over
transport CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=corporate,DC=coy1,DC=com are
currently unavailable.


What can be done about this?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top