Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Interesting AD problem

Reply
Thread Tools

Interesting AD problem

 
 
thingy
Guest
Posts: n/a
 
      01-31-2007
I have two distinct sites, both have AD, both are controlled by totally
separate entities....A 3rd entity wants their own AD to be across both
like a virtual company and login from any PC physically on either site
and get authenticated to their own AD....

So we have a 3rd AD floating about the other two....as far as I can
determine, the PC has to belong to one AD and only one AD, yet an
employee could be from the an original AD or the floating one....so
somehow this has to be acheived....

Can it be done?

I cannot see how but I am no MS guru...

regards

Thing
 
Reply With Quote
 
 
 
 
Alan
Guest
Posts: n/a
 
      01-31-2007


"thingy" <(E-Mail Removed)> wrote in message
news:45c029ee$(E-Mail Removed)...
>I have two distinct sites, both have AD, both are controlled by
>totally separate entities....A 3rd entity wants their own AD to be
>across both like a virtual company and login from any PC physically
>on either site and get authenticated to their own AD....
>
> So we have a 3rd AD floating about the other two....as far as I can
> determine, the PC has to belong to one AD and only one AD, yet an
> employee could be from the an original AD or the floating one....so
> somehow this has to be acheived....
>
> Can it be done?
>
> I cannot see how but I am no MS guru...
>
> regards
>
> Thing


Hi Thing,

I believe you can set up a trust relationship.

Windows Server 2003 specifically has this facility.

If any of the sites are SBS (rather than Windows Server) then you may
have an issue as SBS is specifically marketed to people who don't want
to be able to multiple domains within a forest (and of course it costs
a lot less).

HTH,
--
Alan.

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

http://www.velocityreviews.com/forums/(E-Mail Removed)

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb


 
Reply With Quote
 
 
 
 
Enkidu
Guest
Posts: n/a
 
      01-31-2007
thingy wrote:
> I have two distinct sites, both have AD, both are controlled by totally
> separate entities....A 3rd entity wants their own AD to be across both
> like a virtual company and login from any PC physically on either site
> and get authenticated to their own AD....
>
> So we have a 3rd AD floating about the other two....as far as I can
> determine, the PC has to belong to one AD and only one AD, yet an
> employee could be from the an original AD or the floating one....so
> somehow this has to be acheived....
>
> Can it be done?
>
> I cannot see how but I am no MS guru...
>

What you are talking about is a 'tree' in 'forest'. The 'forest' has a
single 'tree', with the floating AD as the root and the other as child
domains of the parent.

Can you get there from here? Nope, because the root has to exist before
the children and can't be added afterwards.

You'd need to create a root, migrate the root domain stuff from the
floating domain, create the children and migrate the stuff from them.

Well, that's a long term solution. As a medium term solution you could
set up trusts between the domains, as Alan suggested.

Cheers,

Cliff

--

Have you ever noticed that if something is advertised as 'amusing' or
'hilarious', it usually isn't?
 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      01-31-2007
Alan wrote:
> "thingy" <(E-Mail Removed)> wrote in message
> news:45c029ee$(E-Mail Removed)...
>> I have two distinct sites, both have AD, both are controlled by
>> totally separate entities....A 3rd entity wants their own AD to be
>> across both like a virtual company and login from any PC physically
>> on either site and get authenticated to their own AD....
>>
>> So we have a 3rd AD floating about the other two....as far as I can
>> determine, the PC has to belong to one AD and only one AD, yet an
>> employee could be from the an original AD or the floating one....so
>> somehow this has to be acheived....
>>
>> Can it be done?
>>
>> I cannot see how but I am no MS guru...
>>
>> regards
>>
>> Thing

>
> Hi Thing,
>
> I believe you can set up a trust relationship.
>
> Windows Server 2003 specifically has this facility.
>
> If any of the sites are SBS (rather than Windows Server) then you may
> have an issue as SBS is specifically marketed to people who don't want
> to be able to multiple domains within a forest (and of course it costs
> a lot less).
>
> HTH,



Trusts across forests assumes the PC is only authenticated to (lives in)
one domain. The problem I have is a virtual organisation living within 2
real ones....so its not a one to many which a forest trusts accomplishes
but a many to many, which as a solution it does not.

regards

thing









 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      01-31-2007
Enkidu wrote:
> thingy wrote:
>> I have two distinct sites, both have AD, both are controlled by
>> totally separate entities....A 3rd entity wants their own AD to be
>> across both like a virtual company and login from any PC physically on
>> either site and get authenticated to their own AD....
>>
>> So we have a 3rd AD floating about the other two....as far as I can
>> determine, the PC has to belong to one AD and only one AD, yet an
>> employee could be from the an original AD or the floating one....so
>> somehow this has to be acheived....
>>
>> Can it be done?
>>
>> I cannot see how but I am no MS guru...
>>

> What you are talking about is a 'tree' in 'forest'. The 'forest' has a
> single 'tree', with the floating AD as the root and the other as child
> domains of the parent.
>
> Can you get there from here? Nope, because the root has to exist before
> the children and can't be added afterwards.
>
> You'd need to create a root, migrate the root domain stuff from the
> floating domain, create the children and migrate the stuff from them.
>
> Well, that's a long term solution. As a medium term solution you could
> set up trusts between the domains, as Alan suggested.
>
> Cheers,
>
> Cliff
>


All three organisations have their own root....there is no overall
root......the two original physical domains are separate companies so
creating a common root is not possible in a business sense, let alone
the practical technical one.

It would be like asking RedHat (assuming RH was MS based for a moment
and not Linux) and Microsoft to have a common root so Novell can easily
exist inside them....

regards

Thing










 
Reply With Quote
 
Alan
Guest
Posts: n/a
 
      02-01-2007

"thingy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Alan wrote:
>> "thingy" <(E-Mail Removed)> wrote in message
>> news:45c029ee$(E-Mail Removed)...
>>> I have two distinct sites, both have AD, both are controlled by
>>> totally separate entities....A 3rd entity wants their own AD to be
>>> across both like a virtual company and login from any PC
>>> physically on either site and get authenticated to their own
>>> AD....
>>>
>>> So we have a 3rd AD floating about the other two....as far as I
>>> can determine, the PC has to belong to one AD and only one AD, yet
>>> an employee could be from the an original AD or the floating
>>> one....so somehow this has to be acheived....
>>>
>>> Can it be done?
>>>
>>> I cannot see how but I am no MS guru...
>>>
>>> regards
>>>
>>> Thing

>>
>> Hi Thing,
>>
>> I believe you can set up a trust relationship.
>>
>> Windows Server 2003 specifically has this facility.
>>
>> If any of the sites are SBS (rather than Windows Server) then you
>> may have an issue as SBS is specifically marketed to people who
>> don't want to be able to multiple domains within a forest (and of
>> course it costs a lot less).
>>
>> HTH,

>
>
> Trusts across forests assumes the PC is only authenticated to (lives
> in) one domain. The problem I have is a virtual organisation living
> within 2 real ones....so its not a one to many which a forest trusts
> accomplishes but a many to many, which as a solution it does not.
>
> regards
>
> thing
>
>
>
>
>
>
>
>
>


Why not have the employee from Co3 login on a PC at either Co1 or Co2,
then VPN (say) to Co3's domain?

What does the employee of Co3 actually need to do / achieve in the
scenario that you describe? Give us some broader context and perhaps
we can brainstorm a different solution?

--
Alan.

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

(E-Mail Removed)

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb




 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      02-01-2007
thingy wrote:
> Enkidu wrote:
>> thingy wrote:
>>> I have two distinct sites, both have AD, both are controlled by
>>> totally separate entities....A 3rd entity wants their own AD to
>>> be across both like a virtual company and login from any PC
>>> physically on either site and get authenticated to their own
>>> AD....
>>>
>>> So we have a 3rd AD floating about the other two....as far as I
>>> can determine, the PC has to belong to one AD and only one AD,
>>> yet an employee could be from the an original AD or the floating
>>> one....so somehow this has to be acheived....
>>>
>>> Can it be done?
>>>
>>> I cannot see how but I am no MS guru...
>>>

>> What you are talking about is a 'tree' in 'forest'. The 'forest'
>> has a single 'tree', with the floating AD as the root and the other
>> as child domains of the parent.
>>
>> Can you get there from here? Nope, because the root has to exist
>> before the children and can't be added afterwards.
>>
>> You'd need to create a root, migrate the root domain stuff from the
>> floating domain, create the children and migrate the stuff from
>> them.
>>
>> Well, that's a long term solution. As a medium term solution you
>> could set up trusts between the domains, as Alan suggested.

>
> All three organisations have their own root....there is no overall
> root......the two original physical domains are separate companies so
> creating a common root is not possible in a business sense, let
> alone the practical technical one.
>
> It would be like asking RedHat (assuming RH was MS based for a moment
> and not Linux) and Microsoft to have a common root so Novell can
> easily exist inside them....
>

Can you expand on what you want? How about an empty root and three child
Domains?

Cheers,

Cliff

--

Have you ever noticed that if something is advertised as 'amusing' or
'hilarious', it usually isn't?
 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      02-01-2007
Alan wrote:
> "thingy" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Alan wrote:
>>> "thingy" <(E-Mail Removed)> wrote in message
>>> news:45c029ee$(E-Mail Removed)...
>>>> I have two distinct sites, both have AD, both are controlled by
>>>> totally separate entities....A 3rd entity wants their own AD to be
>>>> across both like a virtual company and login from any PC
>>>> physically on either site and get authenticated to their own
>>>> AD....
>>>>
>>>> So we have a 3rd AD floating about the other two....as far as I
>>>> can determine, the PC has to belong to one AD and only one AD, yet
>>>> an employee could be from the an original AD or the floating
>>>> one....so somehow this has to be acheived....
>>>>
>>>> Can it be done?
>>>>
>>>> I cannot see how but I am no MS guru...
>>>>
>>>> regards
>>>>
>>>> Thing
>>> Hi Thing,
>>>
>>> I believe you can set up a trust relationship.
>>>
>>> Windows Server 2003 specifically has this facility.
>>>
>>> If any of the sites are SBS (rather than Windows Server) then you
>>> may have an issue as SBS is specifically marketed to people who
>>> don't want to be able to multiple domains within a forest (and of
>>> course it costs a lot less).
>>>
>>> HTH,

>>
>> Trusts across forests assumes the PC is only authenticated to (lives
>> in) one domain. The problem I have is a virtual organisation living
>> within 2 real ones....so its not a one to many which a forest trusts
>> accomplishes but a many to many, which as a solution it does not.
>>
>> regards
>>
>> thing
>>
>>
>>
>>
>>
>>
>>
>>
>>

>
> Why not have the employee from Co3 login on a PC at either Co1 or Co2,
> then VPN (say) to Co3's domain?
>
> What does the employee of Co3 actually need to do / achieve in the
> scenario that you describe? Give us some broader context and perhaps
> we can brainstorm a different solution?
>


The Co3 could be in either co1 or co2's site...so they need to login to
any PC and get to C03....while they could be given 3 logins....it means
3 logins plus co1 and co2 are stuck with maintaining co3 users and have
to add a vpn to each of their desktop images (around 10,000 of
them)......clunky....not un-workable though....it may be the only
practical solution....a true federated service would allow single sign
on....that is not available and 2 to 4 years off....

From inside c03 they can then reach back to co1 and co2 and get the
services they need, either via two forest trusts, or a point to point
solution.....c03s bandwidth and cpu use could also be rather high due to
the video and sound editing...

Oh and I expect a decent % of them to want macs...

regards

Thing















 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      02-01-2007
Enkidu wrote:
> thingy wrote:
>> Enkidu wrote:
>>> thingy wrote:
>>>> I have two distinct sites, both have AD, both are controlled by
>>>> totally separate entities....A 3rd entity wants their own AD to
>>>> be across both like a virtual company and login from any PC
>>>> physically on either site and get authenticated to their own
>>>> AD....
>>>>
>>>> So we have a 3rd AD floating about the other two....as far as I
>>>> can determine, the PC has to belong to one AD and only one AD,
>>>> yet an employee could be from the an original AD or the floating
>>>> one....so somehow this has to be acheived....
>>>>
>>>> Can it be done?
>>>>
>>>> I cannot see how but I am no MS guru...
>>>>
>>> What you are talking about is a 'tree' in 'forest'. The 'forest'
>>> has a single 'tree', with the floating AD as the root and the other
>>> as child domains of the parent.
>>>
>>> Can you get there from here? Nope, because the root has to exist
>>> before the children and can't be added afterwards.
>>>
>>> You'd need to create a root, migrate the root domain stuff from the
>>> floating domain, create the children and migrate the stuff from
>>> them.
>>>
>>> Well, that's a long term solution. As a medium term solution you
>>> could set up trusts between the domains, as Alan suggested.

>>
>> All three organisations have their own root....there is no overall
>> root......the two original physical domains are separate companies so
>> creating a common root is not possible in a business sense, let
>> alone the practical technical one.
>>
>> It would be like asking RedHat (assuming RH was MS based for a moment
>> and not Linux) and Microsoft to have a common root so Novell can
>> easily exist inside them....
>>

> Can you expand on what you want? How about an empty root and three child
> Domains?
>
> Cheers,
>
> Cliff
>


Means compromising the two independent companies? security wise it is a
huge ask...they already have their own roots, so their differently named
roots would have to be pulled into an empty one and then extracted about
3~4 years from now. these organisations are separate so all of a sudden
the two are joined at the hip....the complexity just went up but the
cost recovery for it is not there....

Theoretically possible but costly, risky and complex to my mind...longer
term the third company wants to be physically and mentally separate, it
just gets gestated and then gets "ejected" once mature enough in
business and in IT terms to survive on its own...

regards

Thing





 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      02-01-2007
Alan wrote:
> "thingy" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Alan wrote:
>>> "thingy" <(E-Mail Removed)> wrote in message
>>> news:45c029ee$(E-Mail Removed)...
>>>> I have two distinct sites, both have AD, both are controlled by
>>>> totally separate entities....A 3rd entity wants their own AD to be
>>>> across both like a virtual company and login from any PC
>>>> physically on either site and get authenticated to their own
>>>> AD....
>>>>
>>>> So we have a 3rd AD floating about the other two....as far as I
>>>> can determine, the PC has to belong to one AD and only one AD, yet
>>>> an employee could be from the an original AD or the floating
>>>> one....so somehow this has to be acheived....
>>>>
>>>> Can it be done?
>>>>
>>>> I cannot see how but I am no MS guru...
>>>>
>>>> regards
>>>>
>>>> Thing
>>> Hi Thing,
>>>
>>> I believe you can set up a trust relationship.
>>>
>>> Windows Server 2003 specifically has this facility.
>>>
>>> If any of the sites are SBS (rather than Windows Server) then you
>>> may have an issue as SBS is specifically marketed to people who
>>> don't want to be able to multiple domains within a forest (and of
>>> course it costs a lot less).
>>>
>>> HTH,

>>
>> Trusts across forests assumes the PC is only authenticated to (lives
>> in) one domain. The problem I have is a virtual organisation living
>> within 2 real ones....so its not a one to many which a forest trusts
>> accomplishes but a many to many, which as a solution it does not.
>>
>> regards
>>
>> thing
>>
>>
>>
>>
>>
>>
>>
>>
>>

>
> Why not have the employee from Co3 login on a PC at either Co1 or Co2,
> then VPN (say) to Co3's domain?
>
> What does the employee of Co3 actually need to do / achieve in the
> scenario that you describe? Give us some broader context and perhaps
> we can brainstorm a different solution?
>



the issue with VPN is the desparate applications required by co3 would
have to sit on co1 and co2s desktop....its not just adding a vpn is it?

Me thinks a citrix / terminal services / thin client solution would be
more effective?

I want to minimalise the work on the two separate organisations
independent desktops....vpn means a huge change to the desktop....thin
client / citrix avoids that?

The dis-advantage maybe the bandwidth requirements....steaming video and
audio....

regards

Thing




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Interesting nat problem G.G. Cisco 2 12-02-2005 09:22 PM
Interesting problem with NAT and VPN (not the usual question) Jim Westwood Cisco 6 10-15-2005 05:07 PM
Interesting ping problem Cpt_CAM Cisco 2 04-18-2005 08:51 AM
Interesting Ping Problem with Gigaman Circuits and Cisco 4006 Switches - Anyone? Cpt_Cam Cisco 7 10-05-2004 05:29 AM
BGP and NAT... interesting problem Gollum Cisco 3 12-17-2003 06:22 PM



Advertisments