<<Only 5 user accounts exist and these have
full admin rights. These accounts are required to start the SAP
applications and are contained within the SAP app. for its built in
security.>>
why in the world would you want to setup a seprate
domain to manage a different PW policy for your 5 user-accounts in SAP?
You might have had good reasons to implement a separate
NT4 domain in the past, but it was more likely to ensure restricted access to
your SAP servers - i.e. you didn't want other domain admins from your
User-Domain to touch the SAP boxes... - right?
In that case, I would ask myself:
1. who will have administrative access to my
"User"-AD domain in the future?
=> since you can delegate almost anything, you can
restrict your domain admins in your upgraded Users Domain to the bare
minimum
=> you should plan the delagation setup right from
the start (even when doing an in-place upgrade)
2. are the domain admins of the User-Domains (the ones
that are left after you've configured delegation of the AD data-mgmt)
trustworthy to manage the SAP accounts &
servers?
=> if these domain admins are the same that manage
your SAP environment, then you can simply give up the SAP domain and migrate the
SAP servers over a protected OU in the Users domain - absolutely no need to
create a separate child-domain or domain-tree... Just because you won't be
able to set a different PW policy, doesn't mean you can't configure the SAP
accounts with 15 char complex-passwords... - it's up to you to make the
environment secure.
=> you will then save the costs of maintaining a completely separate domain and all the hassles involved with a multi-domain forest infrastructure. Not reason to plan a complex environment, if you don't require it.
=> you will then save the costs of maintaining a completely separate domain and all the hassles involved with a multi-domain forest infrastructure. Not reason to plan a complex environment, if you don't require it.
=> however, if you're talking about a situation,
where the user domain admins can't be trusted by the folks responsible for SAP,
then stick to a separate forest, which will be the only way to isolate the two
securely. (Robbie Allen would have updated these details in the second
eddition of this really great book - but the first edition doesn't mention the
security boundary topic.)
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Freitag, 9. Juli 2004 15:29
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
ah, okay. I have just bought a book called Windows
2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will
get my head around all this once I have digested that book I guess. I have
been on the ADS course, but it was a long time ago and we all know that
experience comes with practice!
thanks guys.
Ad
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: 09 July 2004 14:21
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
A
child domain won't inherit the parent domain's password policy. In fact,
different security requirements are one of the primary reasons we are sometimes
forced to go with another domain.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of knighTslayer
Sent: Friday, July 09, 2004 8:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a ForrestI guessed I got confused then!As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though.Ad
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 09 July 2004 13:20
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a ForrestDefine what you mean by> want the SAP domain to have a separate security policy than the users domain.Using multiple trees in a single forest will not buy you anything that you don't get with a child domain in terms of security.You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Friday, July 09, 2004 7:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a ForrestHi Joe,Thanks for your detailed email.I want the SAP domain to have a separate security policy than the users domain.So I think I am going to go down to the two tree domain road.So within my forest I have two tree domains.o/ \/ \/ \users.dom <-> sap.domSo therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain.In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security.Thanks Joe and Kenneth.Adam
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 08 July 2004 23:05
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a ForrestFirst off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think.Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy.For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts.For instance if you have two trees in your forestdomain1.comanddomain2.comAnd you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that.From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Thursday, July 08, 2004 5:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2 NT4.0 domains to a ForrestHi,I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other.The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain.I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory.However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain.What would be best? Or would creating a new Forrest and have trust be any better?ThanksAdam
