RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 5:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 5:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 5:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
A child domain won't inherit the parent domain's password policy. In fact, different security requirements are one of the primary reasons we are sometimes forced to go with another domain. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of knighTslayerSent: Friday, July 09, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 5:40 AMTo: [EMAIL
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Joe, Each NT4.0 domain I have has two domain controllers, a BDC and of 'course a PDC. When I upgrade the users domain PDC to ADS then that will be pretty straight forward. When I upgrade the last BDC and switch to native mode then that's if for the users domain - no going back - no problem, its now ADS anda two-way trust exists with the SAP domain. Fine, phase one complete. Phase two will be as with the users domain, the SAP domain has two domain controllers, if I upgrade the domain to a child domain of the user domain and things are going bad for the services in the SAP domain, I can just take out that PDC I have just upgraded and then promote the BDC to PDC.I'm then I'm back with a NT4.0 to ADS non-transitive trust as the end of phase 1 . Is that correct? Thanks Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: 09 July 2004 14:01To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
ah, okay. I have just bought a book called Windows 2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will get my head around all this once I have digested that book I guess. I have been on the ADS course, but it was a long time ago and we all know that experience comes with practice! thanks guys. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, ScottSent: 09 July 2004 14:21To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest A child domain won't inherit the parent domain's password policy. In fact, different security requirements are one of the primary reasons we are sometimes forced to go with another domain. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of knighTslayerSent: Friday, July 09, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. why in the world would you want to setup a seprate domain to manage a different PW policy for your 5 user-accounts in SAP? You might have had good reasons to implement a separate NT4 domain in the past, but it was more likely to ensure restricted access to your SAP servers - i.e. you didn't want other domain admins from your User-Domain to touch the SAP boxes... - right? In that case, I would ask myself: 1.who will have administrative access to my "User"-AD domain in the future? = since you can delegate almost anything, you can restrict your domain admins in your upgraded Users Domain to the bare minimum = you should plan the delagation setup right from the start (even when doing an in-place upgrade) 2. are the domain admins of the User-Domains (the ones that are left after you've configured delegation of the AD data-mgmt) trustworthy to manage the SAP accounts servers? = if these domain admins are the same that manage your SAP environment, then you can simply give up the SAP domain and migrate the SAP servers over a protected OU in the Users domain - absolutely no need to create a separate child-domain or domain-tree... Just because you won't be able to set a different PW policy, doesn't mean you can't configure the SAP accounts with 15 char complex-passwords... - it's up to you to make the environment secure.= you will then save the costs of maintaining a completely separate domain and all the hassles involved with a multi-domain forest infrastructure. Not reason to plan a complex environment, if you don't require it. = however, if you're talking about a situation, where the user domain admins can't be trusted by the folks responsible for SAP, then stick to a separate forest, which will be the only way to isolate the two securely. (Robbie Allen would have updated these details in the second eddition of this really great book - but the first edition doesn't mention the security boundary topic.) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Freitag, 9. Juli 2004 15:29To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest ah, okay. I have just bought a book called Windows 2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will get my head around all this once I have digested that book I guess. I have been on the ADS course, but it was a long time ago and we all know that experience comes with practice! thanks guys. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, ScottSent: 09 July 2004 14:21To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest A child domain won't inherit the parent domain's password policy. In fact, different security requirements are one of the primary reasons we are sometimes forced to go with another domain. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of knighTslayerSent: Friday, July 09, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
I was going to say that is correct but now I am not so sure. You may have issues until you chop the info back out of AD. Anyone have experience with this? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 9:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Joe, Each NT4.0 domain I have has two domain controllers, a BDC and of 'course a PDC. When I upgrade the users domain PDC to ADS then that will be pretty straight forward. When I upgrade the last BDC and switch to native mode then that's if for the users domain - no going back - no problem, its now ADS anda two-way trust exists with the SAP domain. Fine, phase one complete. Phase two will be as with the users domain, the SAP domain has two domain controllers, if I upgrade the domain to a child domain of the user domain and things are going bad for the services in the SAP domain, I can just take out that PDC I have just upgraded and then promote the BDC to PDC.I'm then I'm back with a NT4.0 to ADS non-transitive trust as the end of phase 1 . Is that correct? Thanks Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: 09 July 2004 14:01To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two tree domain road. So within my forest I have two tree domains. o / \ /\ / \ users.dom- sap.dom So therefore, between these two domains exists an automatic tree trust relationship, which means that any resource in the users domain can be accessed no problem from within the sap domain. In the SAP domain I will never have exchange servers. The SAP domain runs SAP applications which runs on its own database and environment. Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. Thanks Joe and Kenneth. Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 July 2004 23:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
I agree with Guido. If the reason for the two domains is only to have completely separate admin teams, you HAVE to do two forests. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, July 09, 2004 4:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Only 5 user accounts exist and these have full admin rights. These accounts are required to start the SAP applications and are contained within the SAP app. for its built in security. why in the world would you want to setup a seprate domain to manage a different PW policy for your 5 user-accounts in SAP? You might have had good reasons to implement a separate NT4 domain in the past, but it was more likely to ensure restricted access to your SAP servers - i.e. you didn't want other domain admins from your User-Domain to touch the SAP boxes... - right? In that case, I would ask myself: 1.who will have administrative access to my "User"-AD domain in the future? = since you can delegate almost anything, you can restrict your domain admins in your upgraded Users Domain to the bare minimum = you should plan the delagation setup right from the start (even when doing an in-place upgrade) 2. are the domain admins of the User-Domains (the ones that are left after you've configured delegation of the AD data-mgmt) trustworthy to manage the SAP accounts servers? = if these domain admins are the same that manage your SAP environment, then you can simply give up the SAP domain and migrate the SAP servers over a protected OU in the Users domain - absolutely no need to create a separate child-domain or domain-tree... Just because you won't be able to set a different PW policy, doesn't mean you can't configure the SAP accounts with 15 char complex-passwords... - it's up to you to make the environment secure.= you will then save the costs of maintaining a completely separate domain and all the hassles involved with a multi-domain forest infrastructure. Not reason to plan a complex environment, if you don't require it. = however, if you're talking about a situation, where the user domain admins can't be trusted by the folks responsible for SAP, then stick to a separate forest, which will be the only way to isolate the two securely. (Robbie Allen would have updated these details in the second eddition of this really great book - but the first edition doesn't mention the security boundary topic.) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Freitag, 9. Juli 2004 15:29To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest ah, okay. I have just bought a book called Windows 2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will get my head around all this once I have digested that book I guess. I have been on the ADS course, but it was a long time ago and we all know that experience comes with practice! thanks guys. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, ScottSent: 09 July 2004 14:21To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest A child domain won't inherit the parent domain's password policy. In fact, different security requirements are one of the primary reasons we are sometimes forced to go with another domain. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of knighTslayerSent: Friday, July 09, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I guessed I got confused then! As I understand it I don't want SAP to be a child of users as I don't want it to inherit any domain security polices like password expiration etc. I get what you are saying with the child domain now though. Ad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 09 July 2004 13:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Define what you mean by want the SAP domain to have a separate security policy than the users domain. Using multiple trees in asingleforest will not buy you anything that you don't get with a child domain in terms of security. You have domains which are policy boundaries and you have a forest which is a security boundary. Domain trees offer no other bounding other than name space and as I mentioned previously that bounding tends to cause confusion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Joe, Thanks for your detailed email. I want the SAP domain to have a separate security policy than the users domain. So I think I am going to go down to the two t
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
I would start fresh with a new forest then migrate over users services using MS migration tools which work well. I have previously done an in place upgradeofNT4 although it workedwell there is more flexibility with with a new domain. Obviously the additional hardware requirements can limit your choice if new kit is not an option. From: knighTslayer [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 09:40To: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam *** This correspondence is confidential and is solely for the intended recipient(s). If you are not the intended recipient, you must not use, disclose, copy, distribute or retain this message or any part of it. If you are not the intended recipient please delete this correspondence from your system and notify the sender immediately. No warranty is given that this correspondence is free from any virus. In keeping with good computer practice, you should ensure that it is actually virus free. E-mail messages may be subject to delays, non-delivery and unauthorised alterations, therefore information expressed in this message is not given or endorsed by Sx3 unless otherwise notified by our duly authorised representative independent of this message. Sx3 is a trading name of Service and Systems Solutions Limited, a limited company registered in Northern Ireland under number NI 32979 whose registered office is at 120 Malone Road, Belfast, BT9 5HT. ***
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
sorry, new kit is out of the question, I should have mentioned that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henderson RichardSent: 08 July 2004 11:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I would start fresh with a new forest then migrate over users services using MS migration tools which work well. I have previously done an in place upgradeofNT4 although it workedwell there is more flexibility with with a new domain. Obviously the additional hardware requirements can limit your choice if new kit is not an option. From: knighTslayer [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 09:40To: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam***This correspondence is confidential and is solely for the intended recipient(s). If you are not the intended recipient, you must not use, disclose, copy, distribute or retain this message or any part of it. If you are not the intended recipient please delete this correspondence from your system and notify the sender immediately.No warranty is given that this correspondence is free from any virus. In keeping with good computer practice, you should ensure that it is actually virus free. E-mail messages may be subject to delays, non-delivery and unauthorised alterations, therefore information expressed in this message is not given or endorsed by Sx3 unless otherwise notified by our duly authorised representative independent of this message.Sx3 is a trading name of Service and Systems Solutions Limited, a limited company registered in Northern Ireland under number NI 32979 whose registered office is at 120 Malone Road, Belfast, BT9 5HT.***
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Title: Message Not knowing all of the details to your current situation, those you provided lead me to recommend having one forest, but 2 domains. You can upgrade your user domain and have that as your forest root, then upgrade the SAP domain as a new domain in the forest. With that arrangement, you will have the 2-way transitive trust automatically established. Be aware that you should test this (and any) upgrade strategy in a lab environment. That lab environment can be as simple as having a (fairly) new PC running Windows XP and Virtual PC, or as complex as having a duplicate set of servers to your current environment on a separate (preferred isolated) network. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 8:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest sorry, new kit is out of the question, I should have mentioned that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henderson RichardSent: 08 July 2004 11:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I would start fresh with a new forest then migrate over users services using MS migration tools which work well. I have previously done an in place upgradeofNT4 although it workedwell there is more flexibility with with a new domain. Obviously the additional hardware requirements can limit your choice if new kit is not an option. From: knighTslayer [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 09:40To: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam***This correspondence is confidential and is solely for the intended recipient(s). If you are not the intended recipient, you must not use, disclose, copy, distribute or retain this message or any part of it. If you are not the intended recipient please delete this correspondence from your system and notify the sender immediately.No warranty is given that this correspondence is free from any virus. In keeping with good computer practice, you should ensure that it is actually virus free. E-mail messages may be subject to delays, non-delivery and unauthorised alterations, therefore information expressed in this message is not given or endorsed by Sx3 unless otherwise notified by our duly authorised representative independent of this message.Sx3 is a trading name of Service and Systems Solutions Limited, a limited company registered in Northern Ireland under number NI 32979 whose registered office is at 120 Malone Road, Belfast, BT9 5HT.***
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Return Receipt Your document: RE: [ActiveDir] 2 NT4.0 domains to a Forrest was received by: Justin Leney/US/DCI at: 07/08/2004 09:48:33 AM
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Title: Message Almost right (as I understand your interpretation). Your SAP domain will be a parallel domain to your user domain, but in the same forest. For example, let's say your current user domain is called 'tuv' with a DNS entry of 'tuv.com' and your SAP domain is called 'wxy' with a DNS entry of 'wxy.com'. When you upgrade your user domain to Active Directory, your forest could be called 'tuv' and the domain would be 'tuv.com'. When you upgrade your SAP domain, it would be called 'wxy.com' in the 'tuv' forest. Two domain trees, one forest. A visual diagram would be something like: /\ Forest: tuv /\ | (Domain: tuv.com)__|__(Domain: wxy.com) Using the names in the example, for the SAP domain to be a child domain of the users domain, the SAP domain would be named 'wxy.tuv.com'. A visual diagram would be something like: /\ Forest: tuv /\ | (Domain: tuv.com) / (Domain: wxy.tuv.com) If you choose the parallel domains in the same forest, remember to set administrative privileges for the SAP domain to the appropriate user accounts in the user domain. The administrative permissions are inherited in the child domain model, so they are not as much of an issue. Both models provide for different password security settings (i.e., password length, password aging, etc). If you want those security settings identical in both domains, you will need to set them in each domain. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 9:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Hi Kenneth, I'm currently replicating the situation now using VMware. So, if I have this right, I'm going to put the SAP domain in as a child domain of the existing users domain and not a new domain tree? Therefore, the domain SAP NetBIOS name will be SAP and the accounts will be that of SAP\user or a UPN of the forest like [EMAIL PROTECTED] ? Thanks Adam From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken)Sent: 08 July 2004 14:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest Not knowing all of the details to your current situation, those you provided lead me to recommend having one forest, but 2 domains. You can upgrade your user domain and have that as your forest root, then upgrade the SAP domain as a new domain in the forest. With that arrangement, you will have the 2-way transitive trust automatically established. Be aware that you should test this (and any) upgrade strategy in a lab environment. That lab environment can be as simple as having a (fairly) new PC running Windows XP and Virtual PC, or as complex as having a duplicate set of servers to your current environment on a separate (preferred isolated) network. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 8:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest sorry, new kit is out of the question, I should have mentioned that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henderson RichardSent: 08 July 2004 11:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I would start fresh with a new forest then migrate over users services using MS migration tools which work well. I have previously done an in place upgradeofNT4 although it workedwell there is more flexibility with with a new domain. Obviously the additional hardware requirements can limit your choice if new kit is not an option. From: knighTslayer [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 09:40To: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
First off, you may want to look into what you can do with that SAP app in the future, your hands are bound in a bad way and at some point you will find yourself between a rock and hard place for something due to it. If you guys wrote the SAP app, work on making it more flexible, if someone else wrote it, it should be configurable unless they wrote it specifically for you which would be unusual I think. Everything presented here would indicate a single forest with multiple domains is fine. Multiple forests with a single domain each would also be fine. From an exchange viewpoint, I had multi-domain forests, things can get messy. For the first option, you would have the option of a parent child relationship or two trees. In almost all cases I recommend parent child relationships (or root, child, child, child, x) because multiple tree deployments tend to confuse the heck out of most admins and support people and there is already an issue with not a lot of people really understanding what is going on in AD. Most companies DO NOT test their apps in a multi-tree environement and I have seen apps that make assumptions on the naming and tree structures that assume non-disjoint naming and single trees. Also many documents that are written go that way as well and many scripts. For instance if you have two trees in your forest domain1.com and domain2.com And you read a document that says well if your domain is domain2.com then your config container is probably cn=configuration,dc=domain,dc=com instead of saying go to the rootdse and query for the configuration partition. This is slowly getting better but I still do tend to see mistakes like that. Your people supporting the environment would have to be on top of that. From what I see here, I would probably do a two domain single tree single forest deployment. It is the simplest from several aspects. You would have your domain.com which is your main domain and then spin up the sap domain as a child so you get domain.com and sap.domain.com. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayerSent: Thursday, July 08, 2004 5:40 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam
RE: [ActiveDir] 2 NT4.0 domains to a Forrest
Were your problems with upgraded machines or the upgraded domain? I would say that there are far more upgraded domains than brand new domains with everything moved into them. The second option tends to be pretty much unfeasible for any large company. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henderson RichardSent: Thursday, July 08, 2004 6:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains to a Forrest I would start fresh with a new forest then migrate over users services using MS migration tools which work well. I have previously done an in place upgradeofNT4 although it workedwell there is more flexibility with with a new domain. Obviously the additional hardware requirements can limit your choice if new kit is not an option. From: knighTslayer [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 09:40To: [EMAIL PROTECTED]Subject: [ActiveDir] 2 NT4.0 domains to a Forrest Hi, I'm planning to upgrade my NT4.0 domains to Windows 2000. I have NT domains that have two-way trusts to each other. The first domain is where all my users, printers, file server and mail servers are and the second domain is just for my SAP applications run. My SAP servers are completely dependent on the SAP domain to start the services and it is hard coded which accounts from that domain can start them, therefore I must maintain the domain logon, SID and account name. The SAP domain requires the use of printers and file servers from the user domain. I am making a migration plan where I intend to upgrade my users domain to Windows 2000 Active Directory first and maintain a two-way non-transitive trust to the SAP domain. I will switch to native mode and then I will upgrade the SAP domain to Active Directory. However, I am not sure whether to create a new domain tree or create a child domain of the users domain for the SAP domain. What would be best? Or would creating a new Forrest and have trust be any better? Thanks Adam***This correspondence is confidential and is solely for the intended recipient(s). If you are not the intended recipient, you must not use, disclose, copy, distribute or retain this message or any part of it. If you are not the intended recipient please delete this correspondence from your system and notify the sender immediately.No warranty is given that this correspondence is free from any virus. In keeping with good computer practice, you should ensure that it is actually virus free. E-mail messages may be subject to delays, non-delivery and unauthorised alterations, therefore information expressed in this message is not given or endorsed by Sx3 unless otherwise notified by our duly authorised representative independent of this message.Sx3 is a trading name of Service and Systems Solutions Limited, a limited company registered in Northern Ireland under number NI 32979 whose registered office is at 120 Malone Road, Belfast, BT9 5HT.***