Calvin,
please see comments in-line....
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
PinkCrib said:
Cary,
Thanks for the reply. What I try to accomplish here is merely make sure
users at remote office(s) can access the shared folders/files in the main
office.
okay, that is clear enough and more than simple enough
I thought creating sub-domain is the best practice when you have multiple
sites, and yes we expect to add one or two more satellite offices down the
road, and we might need to access all the network shares across those
offices.
This should be no problem at all. Simply create a Site for each new
location in the Active Directory Sites and Services MMC. Create a Subnet
for each location ( for example, Roanoke would be 192.168.1.0, Richmond
would be 192.168.10.0, Blacksburg would be 192.168.20.0 and Raleigh would be
192.168.30.0 ) and associate that Subnet with the correct Site. Then it is
as simple as setting up a Domain Controller in each Site ( make sure that
the DC has the appropriate IP Address! ). Since this would all be
'yourdomain.com' there would be no problem accessing shared folders at all!
Well, assuming that the share and NTFS permissions are correct -AND- that
you are not talking about huge files ( like PowerPoint or Excel ). Then
there will be delays, possibly even timeouts....depending on the bandwidth
of the links.
Creating Sites essentially does two things: controlls Active Directory
replication and assists in logging in. You see, the way that it is supposed
to work in multi-site environments is that the 'local' clients ( let's use
Richmond for this example ) are supposed to authenticate against the 'local'
Domain Controller ( so, against RIC-DC01, for example ). Only if that
'local' DC were not available would the local clients authenticate against a
Domain Controller in another Site ( 'not available', by default, means that
RIC-DC01 does not respond within 100 milliseconds ).
I am not sure that I have read anything stating that setting up a sub-domain
for each location is a Best Practice. Do you have a link to this, or - as I
think - are you just going from what you think that you remember. Not a
problem if that is the case. There is a lot to know and it all kinda gets
convoluted at times.
Do some research on 'Branch Offices'. There are some really good articles
out there about how to best set this up. Microsoft even has a White Paper
on this.
Currently we do have Firewall-to-Firewall VPN between the two Sites and
like
you said they are two separated win2k forest. (which we didn't do it right
at the beginning I think)
Well, it is a very good thing that there is a Site-to-Site VPN between the
two locations. While I can not say for sure that you have not set things up
correctly in the beginning, but based on what you are telling us that you
want / need I would say that you did indeed have some configuration errors.
That is okay. We can fix this.
So, how exactly do we need to accomplish our goal? set up the trust
between
two domains?
Well, setting up a trust between these two Forests might be a short cut, but
not what I think that you really want to do ( especially if the possibility
exists that you will have more 'brach offices' ).
Here is the big picture: I would dcpromo the existing Domain Controller (
company.local ) and then format that partition and install WIN2000 all over
again. Once you have set up the Site in Active Directory Sites and Services
in the main office and associated the Subnet with that Site I would make
sure that the WIN2000 Server has the correct IP Address. I would then run
dcpromo, simply adding an additional Domain Controller to an existing
Domain. I would make sure that this DC is also a Global Catalog Server. I
would make sure that this DC also runs DDNS and DHCP. I would make sure
that I then restored ( from back up or, if located on a different partition,
maybe you do not need to worry about this ) all of the user files and
folders ( understanding that the permissions are not going to work! ) are
available. I would then fix this problem.
Now, the biggest problem is that this office ( company.local ) has it's own
set of user account objects. I would look into ldifde to bring all of those
user account objects to an .ldf file and then put that .ldf file on a floppy
( as well as somewhere else ). Then, once you have the Site set up and have
run dcpromo ( to join an additional Domain Controller to an existing Domain
as mentioned above ) I would import those user account objects back ( but
you will have to change the dc=company, dc=local for each user to
dc=company, dc=com.....this should be really really easy in
Notepad.....Also, make sure that you have the correct location....meaning,
if you have an OU called Employees and then have sub-OUs called Marketing
and Sales then the user account objects are going to have DNs that look
something like this:
DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=local
DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=local
Naturally, you will change this DC=local to DC=com. So, the DNs would look
like this:
DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=com
DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=com
When you import the .ldf file you need to make sure that the OU 'Employees'
does indeed exist and that the sub-OUs 'Sales' and 'Marketing' exist. If
this is how things are in the company.com domain then everything is okay.
If this is not how things are then you either need to change the DN: to
reflect how it is ( maybe it is simply CN=Cary Shultz, CN=Users, DC=company,
DC=com ) or you need to create those OUs. Then import the .ldf file to
create the user account objects.
Is this clear?
Then give it time to replicate. Also, you will need to make sure that you
have added the 'new' Site to the DEFAULTIPSITELINK which is located in the
Active Directory Sites and Services MMC.....The Site Link is pretty much the
only thing that you need to do as far as this stuff is concerned. The KCC
with its buddg the ISTG will take care of the rest for you....by default.
