What is the best way to administering two separate forests?

[Sam]

Hi,

We're in a situation where we will be in charge of at least one other
network within the same building. We want to keep our Windows 2003
domain/forest completely separate and independent with it's own subnet
10.1.x.x and ISA Server but we have to do 2 things:

1. Maintain our client's network so we need to be able get into their
network w/ admin rights whenever we need to. As a matter of fact, their
equipment will physically be in our office. They have their own Windows 2000
forest, subnet -- 10.10.x.x -- and ISA Server, etc.

2. Use their router and T1s for our Internet connection as well. So the
outside IPs of our ISA Server and their ISA Server will be in the same
subnet.

What is the best and most cost effective way to set this up?

Thanks

Sam

 

[Steven Umbach]

Since the equipment will be in your office it would make sense to have a domain
computer for their domain available to you connected to their subnet. Just make
sure that it is hardened and physically secured to some degree as you will be
logging onto it with domain admin credentials. You could configure that computer
to access one of their domain controllers using Terminal Services remote
administration or installing Admipak on that computer to administer the domain.
Another option would be to use one of your computers to use TS remote
administration to access their domain through the ISA servers, though that would
require configuration on their end to allow port 3389 access to the proper
computer on their lan. It would also open a hole in their firewall unless they
have a vpn connection you can go through. I would not recommend opening port
3389 on their end unless you configure their firewall to only accept port 3389
connections from your public IP address in order to reduce hacking attempts.


Should be no problem using their router and internet access. The ISA servers
will not allow uninitiated inbound access to each others public IP address
unless they are configured to allow it. --- Steve

 

[Sam]

We're also going to be maintaining our client's Exchange, SQL and some other
apps.

So we need to get into their network and do things comfortably. What do you
think is the best way for us almost live in their network? I guess we could
keep a workstation in their network that we can physically use.

Just trying to figure out the most effective and comfortable way to handle
this.

Thanks,

Sam

 

[Steven L Umbach]

Hi Sam.

I think it makes sense to have a workstation on their domain/network. You bring up
the point about separate forests/subnets which tells me you probably don't want to go
into creating trusts between the forests, etc. The workstation does not need to be
fancy and you could share another monitor/keyboard/mouse from another computer via a
KVM switch if you want to save some space and money. If you go that route, I would
consider allowing only those who should administor the other domain to logon to it
using security policy user rights assignment - log on locally. --- Steve

 

[Sam]

Hi Steve,

First, thanks for your responses. I appreciate you taking the time to answer
my questions.

Now that you mentioned a trust relationship, it actually makes sense to do
that. We are very intimate with our client. We also do a lot of application
development and SQL Server management for them.

So it's very important for us to be comfortable while we work. For example,
our SQL Server guy should be able to access our client's SQL Server using
his workstation. He should be able to just use SQL Server Enterprise Manager
to pull up client's SQL Server and be able to create tables, etc.

Same thing applies to everyone in my company. We also manage our client's
Exchange server. We even do data entry for them. Like I said, the goal is to
keep our network separate AND protected but in the mean time, certain
individuals in my company/network should be able tap into the client's
network and network resources i.e. Exchange, SQL Server, applications, etc.
for them to be able to do their work.

Do you think a one-way trust relationship is the way to go? What about
routing? Again, physically, we are in the same building, same wiring, same
swithches. We will just have a separate logical network with a separate
forest. How would we tap into our client's network in a one way trust
relationship scenario? For instance, how would the SQL guy see our client's
SQL Server in his Enterprise manager if he's on a separate
domain/forest/subnet considering that our client's domain/forest trusts our
domain/forest.

Thanks for your help Steve.

Sam

 

[Steven L Umbach]

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain and they are
the trusting domain. I hesitate to recommend the best way to interconnect your
networks without having more experience on that end with larger networks. You may
want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with two nics] would
be the solution interconnecting the internal lans but since you say you are using
switches/logical networks there may be an easier way or even though the ISA servers
since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using wins for
network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers are also wins
clients. After the trust is set up you can add the appropriate users from your domain
to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve


http://www.microsoft.com/resources/...roddocs/en-us/domadmin_n_UnderstandTrusts.asp
http://tinyurl.com/2nbaf --- same link as above in case of wrap
http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- lmhosts

 

[Sam]

Hi Steve,

Thanks for the detailed answers. I do like the idea of using ISA boxes for
routing purposes also. I'll post some questions on ISA newsgroups also. This
would eliminate the need for a separate router or Windows box that acts as a
router.

I got a lot of ideas from your responses and do appreaciate your help very
much. Thanks so much.

Sam

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain and they are
the trusting domain. I hesitate to recommend the best way to interconnect your
networks without having more experience on that end with larger networks. You may
want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with two nics] would
be the solution interconnecting the internal lans but since you say you are using
switches/logical networks there may be an easier way or even though the ISA servers
since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using wins for
network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers are also wins
clients. After the trust is set up you can add the appropriate users from your domain
to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve


http://www.microsoft.com/resources/...roddocs/en-us/domadmin_n_UnderstandTrusts.asp
http://tinyurl.com/2nbaf --- same link as above in case of wrap
http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- lmhosts

Hi Steve,

First, thanks for your responses. I appreciate you taking the time to answer
my questions.

Now that you mentioned a trust relationship, it actually makes sense to do
that. We are very intimate with our client. We also do a lot of application
development and SQL Server management for them.

So it's very important for us to be comfortable while we work. For example,
our SQL Server guy should be able to access our client's SQL Server using
his workstation. He should be able to just use SQL Server Enterprise Manager
to pull up client's SQL Server and be able to create tables, etc.

Same thing applies to everyone in my company. We also manage our client's
Exchange server. We even do data entry for them. Like I said, the goal is to
keep our network separate AND protected but in the mean time, certain
individuals in my company/network should be able tap into the client's
network and network resources i.e. Exchange, SQL Server, applications, etc.
for them to be able to do their work.

Do you think a one-way trust relationship is the way to go? What about
routing? Again, physically, we are in the same building, same wiring, same
swithches. We will just have a separate logical network with a separate
forest. How would we tap into our client's network in a one way trust
relationship scenario? For instance, how would the SQL guy see our client's
SQL Server in his Enterprise manager if he's on a separate
domain/forest/subnet considering that our client's domain/forest trusts our
domain/forest.

Thanks for your help Steve.

Sam


You
bring up don't
want to go not
need to be route,
I would some
other do
you we
could have
a subnet.
Just you
will administer
the though
that the
proper accept
port fact,
their So
the the
same

 

[Steven Umbach]

Hi Sam.

OK. I have not spent much time with ISA, but you might want to look into the
possibility of configuring the ISA servers to have an ipsec tunnel between the
two networks/domains and whether or not that would be feasible. Good luck. ---
Steve

Hi Steve,

Thanks for the detailed answers. I do like the idea of using ISA boxes for
routing purposes also. I'll post some questions on ISA newsgroups also. This
would eliminate the need for a separate router or Windows box that acts as a
router.

I got a lot of ideas from your responses and do appreaciate your help very
much. Thanks so much.

Sam

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain and they are
the trusting domain. I hesitate to recommend the best way to interconnect your
networks without having more experience on that end with larger networks. You may
want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with two nics] would
be the solution interconnecting the internal lans but since you say you are using
switches/logical networks there may be an easier way or even though the ISA servers
since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using wins for
network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers are also wins
clients. After the trust is set up you can add the appropriate users from your domain
to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve

http://www.microsoft.com/resources/...roddocs/en-us/domadmin_n_UnderstandTrusts.asp

http://tinyurl.com/2nbaf --- same link as above in case of wrap
http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- lmhosts

 

[Sam]

Thanks Steve... I might come back for some more questions...

Sam

Hi Sam.

OK. I have not spent much time with ISA, but you might want to look into the
possibility of configuring the ISA servers to have an ipsec tunnel between the
two networks/domains and whether or not that would be feasible. Good uck. ---
Steve

Hi Steve,

Thanks for the detailed answers. I do like the idea of using ISA boxes for
routing purposes also. I'll post some questions on ISA newsgroups also. This
would eliminate the need for a separate router or Windows box that acts as a
router.

I got a lot of ideas from your responses and do appreaciate your help very
much. Thanks so much.

Sam

Hi Sam.

If you are going to have a number of users require access to the other forest, then
yes a one way trust would make sense where you are the trusted domain

and
they are

the trusting domain. I hesitate to recommend the best way to

interconnect
your

networks without having more experience on that end with larger

networks.
You may

want to post in the win2000.ras_routing newsgroup and win2000.active_directory for
more opinions on that. Usually a router [possibly a Windows box with

two
nics] would

be the solution interconnecting the internal lans but since you say

you
are using

switches/logical networks there may be an easier way or even though

the
ISA servers

since you are on the same external subnet. Gateways will have to be configured on
clients/routers possibly so that traffic to the other domain gets sent there and back
and not out to the internet router.

Setting up the trust will require that the domains have dns name resolution between
them with either the use of "stub" zones or your dns servers in each domain also
being secondary dns servers for the opposite domain. If you are using

wins
for

network browsing, then configure the wins servers to be replication partners with the
wins servers in the other domain and make sure the domain controllers

are
also wins

clients. After the trust is set up you can add the appropriate users

from
your domain

to the appropriate groups in the other domain. The link below may be helpful on
setting up trusts and you may also try an lmhosts file for domain authentication if
you have trouble establishing the trust. --- Steve

http://www.microsoft.com/resources/...roddocs/en-us/domadmin_n_UnderstandTrusts.asp

to
answer to
do goal
is to applications,
etc. wiring,
same trusts
our domain/network.
You probably
don't does
not that
route, ocally. ---
Steve and
some What
do guess
we to
have as
you to
the The
ISA Windows
2003 well.
So in
the