Interesting AD problem

Discussion in 'NZ Computing' started by thingy, Jan 31, 2007.

  1. thingy

    thingy Guest

    I have two distinct sites, both have AD, both are controlled by totally
    separate entities....A 3rd entity wants their own AD to be across both
    like a virtual company and login from any PC physically on either site
    and get authenticated to their own AD....

    So we have a 3rd AD floating about the other two....as far as I can
    determine, the PC has to belong to one AD and only one AD, yet an
    employee could be from the an original AD or the floating one....so
    somehow this has to be acheived....

    Can it be done?

    I cannot see how but I am no MS guru...

    regards

    Thing
     
    thingy, Jan 31, 2007
    #1
    1. Advertising

  2. thingy

    Alan Guest

    "thingy" <> wrote in message
    news:45c029ee$...
    >I have two distinct sites, both have AD, both are controlled by
    >totally separate entities....A 3rd entity wants their own AD to be
    >across both like a virtual company and login from any PC physically
    >on either site and get authenticated to their own AD....
    >
    > So we have a 3rd AD floating about the other two....as far as I can
    > determine, the PC has to belong to one AD and only one AD, yet an
    > employee could be from the an original AD or the floating one....so
    > somehow this has to be acheived....
    >
    > Can it be done?
    >
    > I cannot see how but I am no MS guru...
    >
    > regards
    >
    > Thing


    Hi Thing,

    I believe you can set up a trust relationship.

    Windows Server 2003 specifically has this facility.

    If any of the sites are SBS (rather than Windows Server) then you may
    have an issue as SBS is specifically marketed to people who don't want
    to be able to multiple domains within a forest (and of course it costs
    a lot less).

    HTH,
    --
    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Jan 31, 2007
    #2
    1. Advertising

  3. thingy

    Enkidu Guest

    thingy wrote:
    > I have two distinct sites, both have AD, both are controlled by totally
    > separate entities....A 3rd entity wants their own AD to be across both
    > like a virtual company and login from any PC physically on either site
    > and get authenticated to their own AD....
    >
    > So we have a 3rd AD floating about the other two....as far as I can
    > determine, the PC has to belong to one AD and only one AD, yet an
    > employee could be from the an original AD or the floating one....so
    > somehow this has to be acheived....
    >
    > Can it be done?
    >
    > I cannot see how but I am no MS guru...
    >

    What you are talking about is a 'tree' in 'forest'. The 'forest' has a
    single 'tree', with the floating AD as the root and the other as child
    domains of the parent.

    Can you get there from here? Nope, because the root has to exist before
    the children and can't be added afterwards.

    You'd need to create a root, migrate the root domain stuff from the
    floating domain, create the children and migrate the stuff from them.

    Well, that's a long term solution. As a medium term solution you could
    set up trusts between the domains, as Alan suggested.

    Cheers,

    Cliff

    --

    Have you ever noticed that if something is advertised as 'amusing' or
    'hilarious', it usually isn't?
     
    Enkidu, Jan 31, 2007
    #3
  4. thingy

    thingy Guest

    Alan wrote:
    > "thingy" <> wrote in message
    > news:45c029ee$...
    >> I have two distinct sites, both have AD, both are controlled by
    >> totally separate entities....A 3rd entity wants their own AD to be
    >> across both like a virtual company and login from any PC physically
    >> on either site and get authenticated to their own AD....
    >>
    >> So we have a 3rd AD floating about the other two....as far as I can
    >> determine, the PC has to belong to one AD and only one AD, yet an
    >> employee could be from the an original AD or the floating one....so
    >> somehow this has to be acheived....
    >>
    >> Can it be done?
    >>
    >> I cannot see how but I am no MS guru...
    >>
    >> regards
    >>
    >> Thing

    >
    > Hi Thing,
    >
    > I believe you can set up a trust relationship.
    >
    > Windows Server 2003 specifically has this facility.
    >
    > If any of the sites are SBS (rather than Windows Server) then you may
    > have an issue as SBS is specifically marketed to people who don't want
    > to be able to multiple domains within a forest (and of course it costs
    > a lot less).
    >
    > HTH,



    Trusts across forests assumes the PC is only authenticated to (lives in)
    one domain. The problem I have is a virtual organisation living within 2
    real ones....so its not a one to many which a forest trusts accomplishes
    but a many to many, which as a solution it does not.

    regards

    thing
     
    thingy, Jan 31, 2007
    #4
  5. thingy

    thingy Guest

    Enkidu wrote:
    > thingy wrote:
    >> I have two distinct sites, both have AD, both are controlled by
    >> totally separate entities....A 3rd entity wants their own AD to be
    >> across both like a virtual company and login from any PC physically on
    >> either site and get authenticated to their own AD....
    >>
    >> So we have a 3rd AD floating about the other two....as far as I can
    >> determine, the PC has to belong to one AD and only one AD, yet an
    >> employee could be from the an original AD or the floating one....so
    >> somehow this has to be acheived....
    >>
    >> Can it be done?
    >>
    >> I cannot see how but I am no MS guru...
    >>

    > What you are talking about is a 'tree' in 'forest'. The 'forest' has a
    > single 'tree', with the floating AD as the root and the other as child
    > domains of the parent.
    >
    > Can you get there from here? Nope, because the root has to exist before
    > the children and can't be added afterwards.
    >
    > You'd need to create a root, migrate the root domain stuff from the
    > floating domain, create the children and migrate the stuff from them.
    >
    > Well, that's a long term solution. As a medium term solution you could
    > set up trusts between the domains, as Alan suggested.
    >
    > Cheers,
    >
    > Cliff
    >


    All three organisations have their own root....there is no overall
    root......the two original physical domains are separate companies so
    creating a common root is not possible in a business sense, let alone
    the practical technical one.

    It would be like asking RedHat (assuming RH was MS based for a moment
    and not Linux) and Microsoft to have a common root so Novell can easily
    exist inside them....

    regards

    Thing
     
    thingy, Jan 31, 2007
    #5
  6. thingy

    Alan Guest

    "thingy" <> wrote in message
    news:...
    > Alan wrote:
    >> "thingy" <> wrote in message
    >> news:45c029ee$...
    >>> I have two distinct sites, both have AD, both are controlled by
    >>> totally separate entities....A 3rd entity wants their own AD to be
    >>> across both like a virtual company and login from any PC
    >>> physically on either site and get authenticated to their own
    >>> AD....
    >>>
    >>> So we have a 3rd AD floating about the other two....as far as I
    >>> can determine, the PC has to belong to one AD and only one AD, yet
    >>> an employee could be from the an original AD or the floating
    >>> one....so somehow this has to be acheived....
    >>>
    >>> Can it be done?
    >>>
    >>> I cannot see how but I am no MS guru...
    >>>
    >>> regards
    >>>
    >>> Thing

    >>
    >> Hi Thing,
    >>
    >> I believe you can set up a trust relationship.
    >>
    >> Windows Server 2003 specifically has this facility.
    >>
    >> If any of the sites are SBS (rather than Windows Server) then you
    >> may have an issue as SBS is specifically marketed to people who
    >> don't want to be able to multiple domains within a forest (and of
    >> course it costs a lot less).
    >>
    >> HTH,

    >
    >
    > Trusts across forests assumes the PC is only authenticated to (lives
    > in) one domain. The problem I have is a virtual organisation living
    > within 2 real ones....so its not a one to many which a forest trusts
    > accomplishes but a many to many, which as a solution it does not.
    >
    > regards
    >
    > thing
    >
    >
    >
    >
    >
    >
    >
    >
    >


    Why not have the employee from Co3 login on a PC at either Co1 or Co2,
    then VPN (say) to Co3's domain?

    What does the employee of Co3 actually need to do / achieve in the
    scenario that you describe? Give us some broader context and perhaps
    we can brainstorm a different solution?

    --
    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Feb 1, 2007
    #6
  7. thingy

    Enkidu Guest

    thingy wrote:
    > Enkidu wrote:
    >> thingy wrote:
    >>> I have two distinct sites, both have AD, both are controlled by
    >>> totally separate entities....A 3rd entity wants their own AD to
    >>> be across both like a virtual company and login from any PC
    >>> physically on either site and get authenticated to their own
    >>> AD....
    >>>
    >>> So we have a 3rd AD floating about the other two....as far as I
    >>> can determine, the PC has to belong to one AD and only one AD,
    >>> yet an employee could be from the an original AD or the floating
    >>> one....so somehow this has to be acheived....
    >>>
    >>> Can it be done?
    >>>
    >>> I cannot see how but I am no MS guru...
    >>>

    >> What you are talking about is a 'tree' in 'forest'. The 'forest'
    >> has a single 'tree', with the floating AD as the root and the other
    >> as child domains of the parent.
    >>
    >> Can you get there from here? Nope, because the root has to exist
    >> before the children and can't be added afterwards.
    >>
    >> You'd need to create a root, migrate the root domain stuff from the
    >> floating domain, create the children and migrate the stuff from
    >> them.
    >>
    >> Well, that's a long term solution. As a medium term solution you
    >> could set up trusts between the domains, as Alan suggested.

    >
    > All three organisations have their own root....there is no overall
    > root......the two original physical domains are separate companies so
    > creating a common root is not possible in a business sense, let
    > alone the practical technical one.
    >
    > It would be like asking RedHat (assuming RH was MS based for a moment
    > and not Linux) and Microsoft to have a common root so Novell can
    > easily exist inside them....
    >

    Can you expand on what you want? How about an empty root and three child
    Domains?

    Cheers,

    Cliff

    --

    Have you ever noticed that if something is advertised as 'amusing' or
    'hilarious', it usually isn't?
     
    Enkidu, Feb 1, 2007
    #7
  8. thingy

    thingy Guest

    Alan wrote:
    > "thingy" <> wrote in message
    > news:...
    >> Alan wrote:
    >>> "thingy" <> wrote in message
    >>> news:45c029ee$...
    >>>> I have two distinct sites, both have AD, both are controlled by
    >>>> totally separate entities....A 3rd entity wants their own AD to be
    >>>> across both like a virtual company and login from any PC
    >>>> physically on either site and get authenticated to their own
    >>>> AD....
    >>>>
    >>>> So we have a 3rd AD floating about the other two....as far as I
    >>>> can determine, the PC has to belong to one AD and only one AD, yet
    >>>> an employee could be from the an original AD or the floating
    >>>> one....so somehow this has to be acheived....
    >>>>
    >>>> Can it be done?
    >>>>
    >>>> I cannot see how but I am no MS guru...
    >>>>
    >>>> regards
    >>>>
    >>>> Thing
    >>> Hi Thing,
    >>>
    >>> I believe you can set up a trust relationship.
    >>>
    >>> Windows Server 2003 specifically has this facility.
    >>>
    >>> If any of the sites are SBS (rather than Windows Server) then you
    >>> may have an issue as SBS is specifically marketed to people who
    >>> don't want to be able to multiple domains within a forest (and of
    >>> course it costs a lot less).
    >>>
    >>> HTH,

    >>
    >> Trusts across forests assumes the PC is only authenticated to (lives
    >> in) one domain. The problem I have is a virtual organisation living
    >> within 2 real ones....so its not a one to many which a forest trusts
    >> accomplishes but a many to many, which as a solution it does not.
    >>
    >> regards
    >>
    >> thing
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>

    >
    > Why not have the employee from Co3 login on a PC at either Co1 or Co2,
    > then VPN (say) to Co3's domain?
    >
    > What does the employee of Co3 actually need to do / achieve in the
    > scenario that you describe? Give us some broader context and perhaps
    > we can brainstorm a different solution?
    >


    The Co3 could be in either co1 or co2's site...so they need to login to
    any PC and get to C03....while they could be given 3 logins....it means
    3 logins plus co1 and co2 are stuck with maintaining co3 users and have
    to add a vpn to each of their desktop images (around 10,000 of
    them)......clunky....not un-workable though....it may be the only
    practical solution....a true federated service would allow single sign
    on....that is not available and 2 to 4 years off....

    From inside c03 they can then reach back to co1 and co2 and get the
    services they need, either via two forest trusts, or a point to point
    solution.....c03s bandwidth and cpu use could also be rather high due to
    the video and sound editing...

    Oh and I expect a decent % of them to want macs...

    regards

    Thing
     
    thingy, Feb 1, 2007
    #8
  9. thingy

    thingy Guest

    Enkidu wrote:
    > thingy wrote:
    >> Enkidu wrote:
    >>> thingy wrote:
    >>>> I have two distinct sites, both have AD, both are controlled by
    >>>> totally separate entities....A 3rd entity wants their own AD to
    >>>> be across both like a virtual company and login from any PC
    >>>> physically on either site and get authenticated to their own
    >>>> AD....
    >>>>
    >>>> So we have a 3rd AD floating about the other two....as far as I
    >>>> can determine, the PC has to belong to one AD and only one AD,
    >>>> yet an employee could be from the an original AD or the floating
    >>>> one....so somehow this has to be acheived....
    >>>>
    >>>> Can it be done?
    >>>>
    >>>> I cannot see how but I am no MS guru...
    >>>>
    >>> What you are talking about is a 'tree' in 'forest'. The 'forest'
    >>> has a single 'tree', with the floating AD as the root and the other
    >>> as child domains of the parent.
    >>>
    >>> Can you get there from here? Nope, because the root has to exist
    >>> before the children and can't be added afterwards.
    >>>
    >>> You'd need to create a root, migrate the root domain stuff from the
    >>> floating domain, create the children and migrate the stuff from
    >>> them.
    >>>
    >>> Well, that's a long term solution. As a medium term solution you
    >>> could set up trusts between the domains, as Alan suggested.

    >>
    >> All three organisations have their own root....there is no overall
    >> root......the two original physical domains are separate companies so
    >> creating a common root is not possible in a business sense, let
    >> alone the practical technical one.
    >>
    >> It would be like asking RedHat (assuming RH was MS based for a moment
    >> and not Linux) and Microsoft to have a common root so Novell can
    >> easily exist inside them....
    >>

    > Can you expand on what you want? How about an empty root and three child
    > Domains?
    >
    > Cheers,
    >
    > Cliff
    >


    Means compromising the two independent companies? security wise it is a
    huge ask...they already have their own roots, so their differently named
    roots would have to be pulled into an empty one and then extracted about
    3~4 years from now. these organisations are separate so all of a sudden
    the two are joined at the hip....the complexity just went up but the
    cost recovery for it is not there....

    Theoretically possible but costly, risky and complex to my mind...longer
    term the third company wants to be physically and mentally separate, it
    just gets gestated and then gets "ejected" once mature enough in
    business and in IT terms to survive on its own...

    regards

    Thing
     
    thingy, Feb 1, 2007
    #9
  10. thingy

    thingy Guest

    Alan wrote:
    > "thingy" <> wrote in message
    > news:...
    >> Alan wrote:
    >>> "thingy" <> wrote in message
    >>> news:45c029ee$...
    >>>> I have two distinct sites, both have AD, both are controlled by
    >>>> totally separate entities....A 3rd entity wants their own AD to be
    >>>> across both like a virtual company and login from any PC
    >>>> physically on either site and get authenticated to their own
    >>>> AD....
    >>>>
    >>>> So we have a 3rd AD floating about the other two....as far as I
    >>>> can determine, the PC has to belong to one AD and only one AD, yet
    >>>> an employee could be from the an original AD or the floating
    >>>> one....so somehow this has to be acheived....
    >>>>
    >>>> Can it be done?
    >>>>
    >>>> I cannot see how but I am no MS guru...
    >>>>
    >>>> regards
    >>>>
    >>>> Thing
    >>> Hi Thing,
    >>>
    >>> I believe you can set up a trust relationship.
    >>>
    >>> Windows Server 2003 specifically has this facility.
    >>>
    >>> If any of the sites are SBS (rather than Windows Server) then you
    >>> may have an issue as SBS is specifically marketed to people who
    >>> don't want to be able to multiple domains within a forest (and of
    >>> course it costs a lot less).
    >>>
    >>> HTH,

    >>
    >> Trusts across forests assumes the PC is only authenticated to (lives
    >> in) one domain. The problem I have is a virtual organisation living
    >> within 2 real ones....so its not a one to many which a forest trusts
    >> accomplishes but a many to many, which as a solution it does not.
    >>
    >> regards
    >>
    >> thing
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>

    >
    > Why not have the employee from Co3 login on a PC at either Co1 or Co2,
    > then VPN (say) to Co3's domain?
    >
    > What does the employee of Co3 actually need to do / achieve in the
    > scenario that you describe? Give us some broader context and perhaps
    > we can brainstorm a different solution?
    >



    the issue with VPN is the desparate applications required by co3 would
    have to sit on co1 and co2s desktop....its not just adding a vpn is it?

    Me thinks a citrix / terminal services / thin client solution would be
    more effective?

    I want to minimalise the work on the two separate organisations
    independent desktops....vpn means a huge change to the desktop....thin
    client / citrix avoids that?

    The dis-advantage maybe the bandwidth requirements....steaming video and
    audio....

    regards

    Thing
     
    thingy, Feb 1, 2007
    #10
  11. thingy

    Scott Lemon Guest

    "thingy" <> wrote in message
    news:...
    > Alan wrote:
    >> "thingy" <> wrote in message
    >> news:...
    >>> Alan wrote:
    >>>> "thingy" <> wrote in message
    >>>> news:45c029ee$...
    >>>>> I have two distinct sites, both have AD, both are controlled by
    >>>>> totally separate entities....A 3rd entity wants their own AD to be
    >>>>> across both like a virtual company and login from any PC physically on
    >>>>> either site and get authenticated to their own AD....
    >>>>>
    >>>>> So we have a 3rd AD floating about the other two....as far as I can
    >>>>> determine, the PC has to belong to one AD and only one AD, yet an
    >>>>> employee could be from the an original AD or the floating one....so
    >>>>> somehow this has to be acheived....
    >>>>>
    >>>>> Can it be done?
    >>>>>
    >>>>> I cannot see how but I am no MS guru...
    >>>>>
    >>>>> regards
    >>>>>
    >>>>> Thing
    >>>> Hi Thing,
    >>>>
    >>>> I believe you can set up a trust relationship.
    >>>>
    >>>> Windows Server 2003 specifically has this facility.
    >>>>
    >>>> If any of the sites are SBS (rather than Windows Server) then you may
    >>>> have an issue as SBS is specifically marketed to people who don't want
    >>>> to be able to multiple domains within a forest (and of course it costs
    >>>> a lot less).
    >>>>
    >>>> HTH,
    >>>
    >>> Trusts across forests assumes the PC is only authenticated to (lives in)
    >>> one domain. The problem I have is a virtual organisation living within 2
    >>> real ones....so its not a one to many which a forest trusts accomplishes
    >>> but a many to many, which as a solution it does not.
    >>>
    >>> regards
    >>>
    >>> thing
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>

    >>
    >> Why not have the employee from Co3 login on a PC at either Co1 or Co2,
    >> then VPN (say) to Co3's domain?
    >>
    >> What does the employee of Co3 actually need to do / achieve in the
    >> scenario that you describe? Give us some broader context and perhaps we
    >> can brainstorm a different solution?
    >>

    >
    >
    > the issue with VPN is the desparate applications required by co3 would
    > have to sit on co1 and co2s desktop....its not just adding a vpn is it?
    >
    > Me thinks a citrix / terminal services / thin client solution would be
    > more effective?
    >
    > I want to minimalise the work on the two separate organisations
    > independent desktops....vpn means a huge change to the desktop....thin
    > client / citrix avoids that?
    >
    > The dis-advantage maybe the bandwidth requirements....steaming video and
    > audio....


    Citrix is optimised for operation over low bandwidth links, a remote session
    has very low overhead. Over a decent WAN link your application performance
    should be indistinguishable from a local connection.
     
    Scott Lemon, Feb 2, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gollum
    Replies:
    3
    Views:
    4,804
    Vincent C Jones
    Dec 17, 2003
  2. Cpt_Cam
    Replies:
    7
    Views:
    2,813
    Hansang Bae
    Oct 5, 2004
  3. Cpt_CAM

    Interesting ping problem

    Cpt_CAM, Apr 16, 2005, in forum: Cisco
    Replies:
    2
    Views:
    482
    Will Plaice
    Apr 18, 2005
  4. Jim Westwood
    Replies:
    6
    Views:
    948
    Jim Westwood
    Oct 15, 2005
  5. G.G.

    Interesting nat problem

    G.G., Nov 30, 2005, in forum: Cisco
    Replies:
    2
    Views:
    443
Loading...

Share This Page