I was going to say that is correct but now I am not so
sure. You may have issues until you chop the info back out of AD. Anyone have
experience with this?
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Friday, July 09, 2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Joe,
Each NT4.0 domain I have has two domain controllers, a BDC
and of 'course a PDC. When I upgrade the users domain PDC to ADS then that
will be pretty straight forward. When I upgrade the last BDC and switch to
native mode then that's if for the users domain - no going back - no problem,
its now ADS and a two-way trust exists with the SAP domain. Fine, phase one
complete.
Phase two will be as with the users domain, the SAP domain
has two domain controllers, if I upgrade the domain to a child domain of the
user domain and things are going bad for the services in the SAP domain, I can
just take out that PDC I have just upgraded and then promote the BDC to
PDC. I'm then I'm back with a NT4.0 to ADS non-transitive trust as
the end of phase 1 . Is that correct?
Thanks
Adam
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: 09 July 2004 14:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
I guessed I got confused then!
As I understand it I don't want SAP to be a child of users
as I don't want it to inherit any domain security polices like password
expiration etc. I get what you are saying with the child domain now
though.
Ad
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 09 July 2004 13:20
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Define what you mean by
> want the SAP domain to have a separate
security policy than the users domain.
Using
multiple trees in a single forest will not buy you anything that you
don't get with a child domain in terms of security.
You
have domains which are policy boundaries and you have a forest which is a
security boundary. Domain trees offer no other bounding other than name space
and as I mentioned previously that bounding tends to cause
confusion.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Friday, July 09, 2004 7:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Hi Joe,
Thanks for your detailed email.
I want the SAP domain to have a separate security policy
than the users domain.
So I think I am going to go down to the two tree domain
road.
So within my forest I have two tree
domains.
o
/ \
/ \
/
\
users.dom <-> sap.dom
So
therefore, between these two domains exists an automatic tree trust
relationship, which means that any resource in the users domain can be accessed
no problem from within the sap domain.
In the
SAP domain I will never have exchange servers. The SAP domain runs SAP
applications which runs on its own database and environment. Only 5
user accounts exist and these have full admin rights. These accounts are
required to start the SAP applications and are contained within the SAP
app. for its built in security.
Thanks
Joe and Kenneth.
Adam
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 08 July 2004 23:05
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest
First off, you may want to look into what you can do with
that SAP app in the future, your hands are bound in a bad way and at some point
you will find yourself between a rock and hard place for something due to it. If
you guys wrote the SAP app, work on making it more flexible, if someone else
wrote it, it should be configurable unless they wrote it specifically for you
which would be unusual I think.
Everything presented here would indicate a single forest
with multiple domains is fine. Multiple forests with a single domain each would
also be fine. From an exchange viewpoint, I had multi-domain forests, things can
get messy.
For the first option, you would have the option of a parent
child relationship or two trees. In almost all cases I recommend parent child
relationships (or root, child, child, child, x) because multiple tree
deployments tend to confuse the heck out of most admins and support people and
there is already an issue with not a lot of people really understanding what is
going on in AD. Most companies DO NOT test their apps in a multi-tree
environement and I have seen apps that make assumptions on the naming and tree
structures that assume non-disjoint naming and single trees. Also many documents
that are written go that way as well and many scripts.
For instance if you have two trees in your
forest
domain1.com
and
domain2.com
And you read a document that says well if your domain is
domain2.com then your config container is probably
cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query
for the configuration partition. This is slowly getting better but I still do
tend to see mistakes like that. Your people supporting the environment would
have to be on top of that.
From what I see here, I would probably do a two domain
single tree single forest deployment. It is the simplest from several aspects.
You would have your domain.com which is your main domain and then spin up the
sap domain as a child so you get domain.com and sap.domain.com.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Thursday, July 08, 2004 5:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2 NT4.0 domains to a Forrest
Hi,
I'm planning to upgrade my NT4.0 domains to Windows
2000. I have NT domains that have two-way trusts to each other.
The first domain is where all my users, printers, file
server and mail servers are and the second domain is just for my SAP
applications run. My SAP servers are completely dependent on the SAP
domain to start the services and it is hard coded which accounts from that
domain can start them, therefore I must maintain the domain logon, SID and
account name. The SAP domain requires the use of printers and file servers
from the user domain.
I am making a migration plan where I intend to upgrade my
users domain to Windows 2000 Active Directory first and maintain a two-way
non-transitive trust to the SAP domain. I will switch to native mode and
then I will upgrade the SAP domain to Active Directory.
However, I am not sure whether to create a new domain tree
or create a child domain of the users domain for the SAP domain.
What would be best? Or would creating a new Forrest
and have trust be any better?
Thanks
Adam
