AD Replication of child domains

[djp]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi, What I know about AD can be written on the back of a postage
stamp, so please bear with me.

I have a domain structure that looks a bit like this:

domain.com
finance.domain.com
corporate.domain.com
legal.domain.com

domain.com contains no users and each of the child domains contains
their "own" users. That is, the people that are in finance.domain.com
are not also in corporate.domain.com. There is no replication between
domains. Each child domain administers users in their own domain.
e.g. an admin in finance has no ability to change users in legal. We
want to preserve this "devolved administration" model.

What I want to do is have a single domain with a "read-only"
(apologies if I am not using the correct terminology) copy of the
users from all domains. To my mind we can achieve this in one of two
ways:

1. create a "dummy" domain called global.domain.com and replicate the
contents of each domain into global.

2. replicate each of the domains into the root domain.

Essentially the aims are to get everyone in a single domain and not
allow anyone in a child domain to be able to add or update in another
child domain.

Is this a standard feature of AD? Am I approaching it in the correct
manner? Is one or other of the approaches I have outlined above
suitable or is there another, preferred method? Is there any
significant difference between AD in 2000 and AD in 2003?

Many thanks to anyone who takes the time to help me out.

DjP

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"DjP" <david.percy@infra.co.uk> wrote in message
news:78a9a253.0412130148.3fc2bd8d@posting.google.com...
> Hi, What I know about AD can be written on the back of a postage
> stamp, so please bear with me.
>
> I have a domain structure that looks a bit like this:
>
> domain.com
> finance.domain.com
> corporate.domain.com
> legal.domain.com
>
> domain.com contains no users and each of the child domains contains
> their "own" users. That is, the people that are in finance.domain.com
> are not also in corporate.domain.com.

Which is as it should be.

> There is no replication between
> domains.

There is LIMITED replication between domains of the
same Forest.

Configuration, Schema, are replicated to ever DC in the Forest
GCs replicate forest wide

> Each child domain administers users in their own domain.
> e.g. an admin in finance has no ability to change users in legal. We
> want to preserve this "devolved administration" model.

Then keep the current model.

> What I want to do is have a single domain with a "read-only"
> (apologies if I am not using the correct terminology) copy of the
> users from all domains. To my mind we can achieve this in one of two
> ways:

In some sense this is a GC -- make sure every site has at
lest one or more GCs (DCs setting in AD Site/Services.)

Why do you want this? What do you REALLY want?

> 1. create a "dummy" domain called global.domain.com and replicate the
> contents of each domain into global.
>
> 2. replicate each of the domains into the root domain.

You cannot really do this.

Every DC has only the records for it's own domain (by
default) unless it is a GC in which case it also has
PART of the record for every object in the FOREST.

> Essentially the aims are to get everyone in a single domain and not
> allow anyone in a child domain to be able to add or update in another
> child domain.

In that case you should just remove the all the other
domains after the migration.

You cannot create the "same object" in multiple domains.

They would be different objects and conflict with each other.

> Is this a standard feature of AD? Am I approaching it in the correct
> manner?

No, and no.

> Is one or other of the approaches I have outlined above
> suitable or is there another, preferred method? Is there any
> significant difference between AD in 2000 and AD in 2003?

Not on this subject.

> Many thanks to anyone who takes the time to help me out.


--
Herb Martin


>
> DjP

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi!

From what i read (between the lines), I guess you want to:

1. Have one user repository instead of 3.

2. Consolidate domain structure into lesser units.

3. Maintain current administrative delegation to own IT ressources.

Please correct me on these of i'm wrong.

Anyway - dwelling into the deepest pits of what youre trying to achieve
might be hard to do using this ng, i will try to keep stuff on a
conceptional levels.

First of all - if you're aim is to have a single user repository for perhaps
another app. or querying, you actually already got it, as all domains within
same domain forest (or tree for that matter) share the same global catalog
(GC). The GC contains a subset of the objects of all domains, that can be
used for cross-domain querying etc. and can be access through LDAP. you just
have to figure out what DC's are configuered as DC - you can see this in
Active Directory Sites and Services. More about GC here:
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_gcatg_what.asp

If you aim for simplifying you're domain structure, you could consolidate
youre domains into a new or existing one, and remove the current child
domains (i.e. finance, corporate, legal). This can be done in several ways,
i.e. by extending the current structure with a new domain, or using the root
domain (or you might choose to protect the root from use access), and use
tools for migrating or moving users (movetree, scripts, ADMT and so on.).
After consolidating you can still maintain decentral administration by using
AD delegation for ensuring that local administrators can only perform admin.
functions on "own" users and/or other ressources. Please take into account
that consolidating domains also impacts on computers, servers and other
ressources so this should be very well planned beforehand. Also take account
that only administrative considerations are not enough before consolidating,
as this also has impact on other factors (policies, security, replication
etc.).

Replicating (copying) user objects within the same forest can be done in
several ways (i.e. creating vbscripts or the likes), but as a rule it is
allways reccommeded to stay away of creating redundant data, as this
complicates operations, security, uniqueness etc.. If you can enable "live"
data and objects to function for your purposes, this might be a more
rational solution.

I can only recommend using some time to get a grasp of basic AD fundamentals
as this might inspire you to move further into meeting your requirements
AD-wise.
Otherwise you can get an overview and links to more detailed information
her:
http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

Regards

Søren Lassen
MCSE



"DjP" <david.percy@infra.co.uk> wrote in message
news:78a9a253.0412130148.3fc2bd8d@posting.google.com...
> Hi, What I know about AD can be written on the back of a postage
> stamp, so please bear with me.
>
> I have a domain structure that looks a bit like this:
>
> domain.com
> finance.domain.com
> corporate.domain.com
> legal.domain.com
>
> domain.com contains no users and each of the child domains contains
> their "own" users. That is, the people that are in finance.domain.com
> are not also in corporate.domain.com. There is no replication between
> domains. Each child domain administers users in their own domain.
> e.g. an admin in finance has no ability to change users in legal. We
> want to preserve this "devolved administration" model.
>
> What I want to do is have a single domain with a "read-only"
> (apologies if I am not using the correct terminology) copy of the
> users from all domains. To my mind we can achieve this in one of two
> ways:
>
> 1. create a "dummy" domain called global.domain.com and replicate the
> contents of each domain into global.
>
> 2. replicate each of the domains into the root domain.
>
> Essentially the aims are to get everyone in a single domain and not
> allow anyone in a child domain to be able to add or update in another
> child domain.
>
> Is this a standard feature of AD? Am I approaching it in the correct
> manner? Is one or other of the approaches I have outlined above
> suitable or is there another, preferred method? Is there any
> significant difference between AD in 2000 and AD in 2003?
>
> Many thanks to anyone who takes the time to help me out.
>
> DjP