Subsidiary intergration into current domain structure.

[Guest]

Hi, we have a W2K AD/Domain infrastructure. See below:

xyz.com (root) (forest)

eu.xyz.com, ap.xyz.com, us.xyz.com (sub domains)

We run the following services for these domains:
Email- E2K, plus archiving etc
Good Mobile Treo Services
File and Printing etc
DNS/WINS/DHCP

Our company has setup a subsidiary company who needs:
A separate domain
Unique email address
Fileserver
Good services (Treo)
Archiving etc

Any suggestions for this domain setup?

Thanks

Hartley

 

[Cary Shultz [A.D. MVP]]

Have you considered another domain tree in the forest? Something like
'yourdomain.com' for the subsidiary. So, it is a member of the xyz.com
forest but it is another tree. Essentially, you would have two trees in the
forest.

Now, does the subsidiary need to be a 'security boundary'? If that is the
case then you would need another forest!

Is there any reason why you have sub-domains instead of having made use of
Sites ( in Active Directory Sites and Services ).

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Jorge_de_Almeida_Pinto]

Have you considered another domain tree in the forest?
Something like
'yourdomain.com' for the subsidiary. So, it is a member of
the xyz.com
forest but it is another tree. Essentially, you would have two
trees in the
forest.

Now, does the subsidiary need to be a 'security boundary'? If
that is the
case then you would need another forest!

Is there any reason why you have sub-domains instead of having
made use of
Sites ( in Active Directory Sites and Services ).

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

What’s is the main reason to create an additional domain?

Would an OU in one of the existing domains be enough?

In my opinion if you want to use separate e-mail addresses you could
create a new recipient policy within exchange that only applies to
those users. There is no need to create an additional domain just for
the separate e-mail addresses

Cheers

 

[Guest]

Hi all, thanks for replying.

The request has changed now, we need to include this company within our
existing sub-domain.

Are you aware of any good articles that describes the process involved?
They need a unique email address and possibly their own filesrver.

Thanks

Hartley

 

[Cary Shultz [A.D. MVP]]

Another very good way to do this. And most probably a much better way.
This is the way that I would do it! I was going to answer along these lines
but wanted to find out - as per my ending questions - why the original
poster was using multiple sub-domains in the first place....maybe there are
different password requirements? Who knows. Looks like we still do not...

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

The Sub-domains were setup to overcome political issues.

 

[Guest]

No different password requirements.

Like always the needs change daily.

Looks like the different OU might be an option.

How would one limit their access to the GAL?

 

[Cary Shultz [A.D. MVP]]

Hman,

see comments in-line......

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

No different password requirements.

That is one of the major reasons for having 'multiple' domains. Not the
only one, but one of ( if not the ) the biggest reason. You mentioned
political reasons. Sometimes this can not be avoided. However, if the IT
people can effectively communicate the pros and cons that may be
averted......

Here si a good link for designing WIN2000 AD environments...

http://www.microsoft.com/technet/pr...chnologies/activedirectory/plan/w2kdomar.mspx

Like always the needs change daily.

Only poor management and / or planning will allow this. This is very
typical of what I call 'reactionaly management'. If there is a solid plan
in place or if there is a solid management team in place then the needs do
not change daily. And I am not cricising you. You see it all the time.
The cause of this is usually people who have passed their level of ability
holding positions of power ( read: Peter Principle ) .

Looks like the different OU might be an option.

Probably would have been a really good solution before the sub-domains were
created. Now, it is probably a moot point. What normally happens when you
have one domain ( yourdomain.com ) that is really comprised of several
divisions or departments or companies ( or whatever ) is that you create an
OU for each division or department or company. All of the objects for that
division / department / company will be placed in that OU. Naturally, if it
fits your scheme, you can have nested OUs ( maybe one for the computer
account objects and one for the user account objects....this is one of many
many many possible situations ). You can delegate certain tasks to specific
groups inside of each OU ( so the help desk in companyA can reset the
password for the user account objects in *O*N*L*Y* companyA ). There are a
lot of possible senarios for delegation.

Now, why do you do this? There are many reasons. The big two are that 1)
you cut down on Administrative Overhead and that 2) you cut down on hardware
/ software costs ( you need at least one Domain Controller for each domain
that you have.....there are two costs associated with that: the hardware and
the software ).

Since you have already set up the multiple sub-domains ( so, to go with the
example that I gave above - one for each division in your company, for
example ) using OUs may not make much sense. It might be worth considering
to change. But, this is usually a really difficult thing to
do.....especially given the 'political reasons' for your current set up.
Whatever those might be....

How would one limit their access to the GAL?

The GAL that is available is the 'default global address list'. You can
create different global address lists and make sure that the permissions are
properly set. You might want to post this question in the Exchange Admin
news group....

HTH,

Cary


This would be a question better suited for the Exchange Admin news group.