Windows 2000 Multiple Domain Trees in a Single Forest

[ots]

I am rworking with Windows 2000 Advanced Server and having
difficulties trying to obtain any "how-to" documentation for my
lab-testing.

Currently I am running a network with IIS and Exchange 2000. I am
hosting three seperate domains:

a.com
----------
Users (Member-of): Bob([email protected]) , Cathy([email protected])

b.com
---------
Users (Member-of): Jack([email protected]), Sally([email protected])

c.com
----------
Users (Member-of): Bono ([email protected])

I wish to integrate all of three domains into the Active Directory
structure in order to offer users of each domain e-mail services (and
hopefully in the near future OWA), as well as to take advantage of the
centralized administration.

Bono, Jack and Sally may not access the same resources as Cathy (file
shares / print servers, etc.).

Bob will administer the entire network with all three domains.

I am really unsure where to start. To date, I have figured out that
the system I am looking at uses multiple domain trees in a single
forest, however implementation is another thing all together.

Any help pointing me in the right direction would be greatly
appreciated.

Regards,

Owen

 

[Marin Marinov]

<anip>
Hi Owen,
I'd suggest you review the 'Designing and Deploying Directory and
Security Services' part of the Microsoft Windows Server 2003 Deployment
Kit:

http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.msp
x

Since in your case your not looking for service isolation, i.e. Bob will
administer the whole forest the best design would be creating a single
forest with 3 domains which will be in 3 different trees (as you already
observed . Having a single forest means having a single schema and a
common Global Catalog and Exchange extends the schema and uses the GC
extensively which will give you the option to have a common Exchange
server for all users.

Access to resources is governed by security permissions at the resource
itself so you can restrict it as you like. If you don't give anyone
except Cathy access to a file share, then only she can use it.

However, think very well whether you need more than one domain. Why do
you think you need three domains? It's a not a preferred scenario and
you must have very specific needs to justify this. Again, by properly
securing resources with permissions and configuring the appropriate
groups and privileges you can achieve what you need with a single
domain. What is your end goal?

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[ots]

Hi Marin,

First and foremost thank you for taking the time to respond to my
post.

I have taken the time to read the deployment kit, however as always I
seem to find that the instructional material speaks to the possibility
of Multiple domians trees in and single forest, but never digs into it
deeper.

Similarily, my MCSE 2000 books also refer to the concepts, but do not
go so far as to provide methodology on implementation.

I think I am struggling as to how I would actually create this single
forest with 3 domains in AD; the concept is clear, but I can't find
where to implement.

I actaully have 3 registered domains, which I administer together, but
are seperate entities (webspace, e-mail, file stores). I also provide
hosting to several other domains on our network.

Previously I used FreeBSD to host other domains, and used my Windows
AD in a single domain tree model for my corporate domain.

Then one day a couple of weeks ago I thought to myself, wouldn't it be
nice to implement our network in AD / Win2k entirely to take advantage
of AD centralized administration, disk quota's, OWA, etc for all
domains?

I am a little concerned that the only way I have found to accomplish
this task is by implementing a new PDC for each domain, and assigning
trusts and delegates. In terms of scalability, this could cost us too
many systems, when with neglegable network traffic, these services
could, and should be combined to one PDC in my opinion.

So I've been doing some due dilligence in attempts to figure out how
this is done. Thank you again.

I have managed to add A records, and IIS sites for hosting clients and
our domains, however I am realizing now that Exchange doesn't want to
play along.

As you are probably well aware, Exchange walks hand in hand with AD;
something I'm not entirely used to trying to get around.

I would ultimately like to configure POP3, IMAP and SMTP support for
our domains, and to be accessed remotely by hosting clients.

So I hope I have offered enough information to you. I would appreciate
your feedback.

Best Regards,

Owen T. Soroke
(e-mail address removed)

 

[Enkidu]

See inline.

Hi Marin,

First and foremost thank you for taking the time to respond to my
post.

I have taken the time to read the deployment kit, however as always I
seem to find that the instructional material speaks to the possibility
of Multiple domians trees in and single forest, but never digs into it
deeper.

I'm not sure what else there is to say about domains, trees and
forests! The basic unit is a Domain, Domains are organised in
(hierarchical) trees and one or more trees makes a forest.

If you have a.domain.com and b.domain.com and the root is a.domain.com
then b.domain.com will be a second tree in the forest. If the root is
domain.com then both a.domain.com and b.domain.com can be domains in
the domain.com tree.

Similarily, my MCSE 2000 books also refer to the concepts, but do not
go so far as to provide methodology on implementation.

You make a domain, tree or forest by using dcpromo on a standalone or
member server, or during OS installation. If you already have an AD
domain with *only* a.domain.com in it, that is the root. You cannot
change an existing root domain without first destroying it.

If you then want to add b.domain.com you have to add it as the root of
a new tree. It can't be in the a.domain.com tree since it is not
hierarchically related to a.domain.com. However you can create a
subdomain called z.a.domain.com.

I think I am struggling as to how I would actually create this single
forest with 3 domains in AD; the concept is clear, but I can't find
where to implement.

*If* the root is a.domain.com then b.domain.com, c.domain.com etc all
*have* to be new trees in AD.

I actaully have 3 registered domains, which I administer together, but
are seperate entities (webspace, e-mail, file stores). I also provide
hosting to several other domains on our network.

Previously I used FreeBSD to host other domains, and used my Windows
AD in a single domain tree model for my corporate domain.

Then one day a couple of weeks ago I thought to myself, wouldn't it be
nice to implement our network in AD / Win2k entirely to take advantage
of AD centralized administration, disk quota's, OWA, etc for all
domains?

I am a little concerned that the only way I have found to accomplish
this task is by implementing a new PDC for each domain, and assigning
trusts and delegates. In terms of scalability, this could cost us too
many systems, when with neglegable network traffic, these services
could, and should be combined to one PDC in my opinion.

Every Domain *does* need a DC in AD. (PDC is an NT concept, though
there is still a PDC emulator function in mixed mode NT/2000 domains.)
You can't partition a DC in AD.

Although it would not be an efficient design, you could have a tree
(with one domain) for all your domains, and not have to set up trusts.

What this really means is that AD is not a good basis for building
your set up on. AD is designed for a hierarchical network and not for
a flat network like yours.

So I've been doing some due dilligence in attempts to figure out how
this is done. Thank you again.

I have managed to add A records, and IIS sites for hosting clients and
our domains, however I am realizing now that Exchange doesn't want to
play along.

As you are probably well aware, Exchange walks hand in hand with AD;
something I'm not entirely used to trying to get around.

I would ultimately like to configure POP3, IMAP and SMTP support for
our domains, and to be accessed remotely by hosting clients.

So I hope I have offered enough information to you. I would appreciate
your feedback.

Exchange can be configured to serve multiple Domain names but best ask
an Exchange expert. All your clients would need to authneticate
against the Exchange server in its AD domain.

Cheers,

Cliff

 

[Marin Marinov]

<snip>
IIUC, you are concerned with maintaining 3 separate *web* domains for
publishing sites and e-mail, right? It's not a good idea to "mix" hosted
services with corporate services (even with other hosted services), it's
highly unlikely that the security needs of the two (or in this case 3)
will match. For example, if a machine in one domain is compromised your
whole domain and network can (and probably will) be compromised. If this
machine is a DC the effects can be devastating.

Anyway, if you're willing to sacrifice security vs. managability then I
don't have much to add to what Cliff already said. You'll definetely
need at least one DC in each domain though it's a best practice to have
at least two for fault-tollerance. I'm definitely not the right person
to offer you an Exchange design, you'll have more luck in the exchange
newsgroups.

BTW, how many email clients are you looking at supporting per domain?
You can consider using the built-in POP3 service in Windows Server 2003
an it can come cheaper than buying Exchange and client licenses. It's
stand alone, you don't need AD, it can support multiple domains, etc.
Take a look at it:

What Is POP3 Service?
http://tinyurl.com/ypwhx

Comparing the POP3 Service in Exchange Server 2003 and Windows Server
2003
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/pop3e
xwn.mspx

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[ots]

Cliff, Marin,

Thank you for your response. Cliff really answered my question in
saying that there is no efficient way to desing this system using AD.

I guess I was looking for something that couldn't be done.

I have already purchased Exchange 2000 licenses as I use it currently
for our network that "is" conducive to AD design. I will however look
into your POP3 service with Windows Server 2003. I think I have a MSDN
copy of the OS.

For my remaining domains, I will continue with my original *nix system
until I figure out the details w/ exchange.

Thanks again,

Owen