Sites in AD (cont.)

G

Guest

If someone can help in this one....i appreciate.

Hi Ryan,

Thanks for answering. Let´s go!

The child domains already exist. They are different part of my organization,
so the different domains were created for administration purposes, i think.
(i was not here when it was created)

My first idea was to create one site to each child domain, because it
identifies the physycal structure of my network and control the traffic
logon. is this correct?
do you think that is not necessary to create a site for these child domains?
If i create the sites in AD for each domain (including the parent domain) do
i have to create a GC in each site?

An important information is that my exchange server is on the root
domain....and the users from child domains also have mailbox in the root
domain.

Do the DC´s in the child domains replicate with global catalog? The GC have
part of the read only copy of each domain partition, i think.

Other thing that i will have to do is to change the root domain to Native
Mode. is it necessary to change the child domains to native mode?

We need to change the root domain to native mode because of exchange server
2000 and universal groups, but i dont see any need to change to native mode
in the child domains.

I hope my ideas can be alittle bit clear now. Hope hear from you soon.

Thanks a lot for helping.
Maurit.
 
R

Ryan Hanisco

Maurit,

Sorry to leave you hanging. I have more information on this, but will get
back to you this evening.

Mea Culpa.
 
R

Ryan Hanisco

Maurit,

In the case where your domains could not communicate with one another,
requests for resources would be at the mercy of the Ticket Cache.
Credentials for foreign-domain resources are created on access request, so
if there was a previous request, the access would persist as long as the
Kerberos Ticket Cache lifetime was not exceeded. If you are concerned
about the link, then you may want to do some testing with extending the
lifetime of the cache.

As to logons themselves: If the site link were severed, a user in a foreign
domain, though in the same forest, would not be able to authenticate as
there would not be a valid source to handle Authentication even if the local
cache had enough information for Authorization. The way around this is to
either have one domain, or to provide a redundant path to a domain
controller in the Authenticating Domain. (even if its something like a POTS
or ISDN DoDR solution.)

This is what I found in the KB and I did some testing yesterday in my home
lab. (I had to do some testing for a client of mine on this.)

Kerberos Ticket Cache:
http://www.microsoft.com/resources/...windows/xp/all/reskit/en-us/prdp_log_bema.asp

Domain and Forest Trusts:
http://www.microsoft.com/resources/.../2003/all/techref/en-us/w2k3tr_trust_what.asp

Trust Technologies:
http://www.microsoft.com/resources/...3/all/techref/en-us/W2K3TR_sec_trust_over.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain consolidation and decommission child domain in ActiveDirectory Windows Server 2003 3
Sites in AD 4
Help moving from NT4 to 2000 AD? 5
Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
Replication issues with one of the child domain 1
DNS in child domains 2
Universal groups scope with trusted domains. 5
Upgrading 2000 child domain to 2003 2

Top