Differnces in Trusts

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

Could anyone please point me in the correct direction. I'll firstly try
and explain what i've done. We are in the early stages of moving our
production servers from our office to a datacentre. Our current domain
is windows 2000 in the name schema is in the format of
locationa.domain.com.

I then created a new windows 2003 domain at the new site with the name
locationab.domain.com. the network team created a tunnel between the two
sites. In locationb i created secondary dns server with a copy of the
locationa dns and visa-versa at location a.

I have created external trusts between the two domains.

Now to the question Is there much of a different in creating the
above and option when you DCPROMO add a new domain to an existing forest?

Thanks

Bryn

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Buzz" <buzz@ming-uk.com> wrote in message
news:42612525$0$2603$da0feed9@news.zen.co.uk...
> Hi,
>
> Could anyone please point me in the correct direction. I'll firstly try
> and explain what i've done. We are in the early stages of moving our
> production servers from our office to a datacentre. Our current domain
> is windows 2000 in the name schema is in the format of
> locationa.domain.com.

> I then created a new windows 2003 domain at the new site with the name
> locationab.domain.com. the network team created a tunnel between the two
> sites. In locationb i created secondary dns server with a copy of the
> locationa dns and visa-versa at location a.

Ok, so they can find each other due to the "cross secondaries."

> I have created external trusts between the two domains.

So these domains are NOT in the same forest?

You don't need external trusts if they are in the same forest.

And if you NEED the external trusts, then you need NetBIOS
name resolution to work. Through routers (VPN etc.) you have
described you will also need WINS Server to help NetBIOS
work.


> Now to the question Is there much of a different in creating the
> above and option when you DCPROMO add a new domain to an existing forest?

Yes. Domain trusts within a forest are automatic,
two way, transitive (to any child etc domains) while
external trusts are one way, manual, and intransitive.

External trusts also require NetBIOS name resolution,
while the automatic domain trusts do not.

There are other (non-trust) implications to having
multiple forests of course: different schemas, different
sites and service Configuration partition, different GCs,
different Enterprise Admins, authorization of DHCP
servers, etc.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Is there much of a different in creating the above and option when you
> DCPROMO add a new domain to an existing forest?

When you add another domain to the existing forest you share a common schema
and configuration (sites, services, etc.). You are also governed by the
root domain and can, be exploited by clever and unhappy IT people ;-)

When you create a new domain in new forest like you have, you have nothing
in common with the other domain other than the external trust you have
setup. You do not share a common schema or configuration.

The security aspect is always debatable if admins can't be trusted, or if
your so wide open people can run interactively on in your network...

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

ptwilliams wrote:
>>Is there much of a different in creating the above and option when you
>>DCPROMO add a new domain to an existing forest?
>
>
> When you add another domain to the existing forest you share a common schema
> and configuration (sites, services, etc.). You are also governed by the
> root domain and can, be exploited by clever and unhappy IT people ;-)
>
> When you create a new domain in new forest like you have, you have nothing
> in common with the other domain other than the external trust you have
> setup. You do not share a common schema or configuration.
>
> The security aspect is always debatable if admins can't be trusted, or if
> your so wide open people can run interactively on in your network...
>

Thanks for the reply, i thought you only shared the same schema if you
had the same domain structure and were child domains from the same root
domain?

So are you saying that manually creating the trusts in "domains and
trusts" is the same as the option to "create a new domain in new forest"
when using DCPROMO?...sorry i didn't explain myself correctly in the
original question

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Buzz" <buzz@ming-uk.com> wrote in message
news:426136ee$0$2603$da0feed9@news.zen.co.uk...

> Thanks for the reply, i thought you only shared the same schema if you
> had the same domain structure and were child domains from the same root
> domain?

Every domain in the forest shares a schema since
the schema is a forest wide resource.

It doesn't matter if you are in the same DNS tree or
not if the forest is a single one there is only one schema.

As to domain "structure" -- the schema are the rules
about that structure, what you can and cannot, or must
do when creating a particular domain structure.

> So are you saying that manually creating the trusts in "domains and
> trusts" is the same as the option to "create a new domain in new forest"

No, but if you didn't create it in a separate forest there
would be practically no reason to create an extra (and
external) trust.

Trusts are automatic within the same forest.

> when using DCPROMO?...sorry i didn't explain myself correctly in the
> original question

It made good sense -- why you are doing it is
harder to understand.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb Martin wrote:
> "Buzz" <buzz@ming-uk.com> wrote in message
> news:42612525$0$2603$da0feed9@news.zen.co.uk...
>
>>Hi,
>>
>>Could anyone please point me in the correct direction. I'll firstly try
>>and explain what i've done. We are in the early stages of moving our
>>production servers from our office to a datacentre. Our current domain
>>is windows 2000 in the name schema is in the format of
>>locationa.domain.com.
>
>
>> I then created a new windows 2003 domain at the new site with the name
>>locationab.domain.com. the network team created a tunnel between the two
>>sites. In locationb i created secondary dns server with a copy of the
>>locationa dns and visa-versa at location a.
>
>
> Ok, so they can find each other due to the "cross secondaries."
>
>
>>I have created external trusts between the two domains.
>
>
> So these domains are NOT in the same forest?
>
> You don't need external trusts if they are in the same forest.
>
> And if you NEED the external trusts, then you need NetBIOS
> name resolution to work. Through routers (VPN etc.) you have
> described you will also need WINS Server to help NetBIOS
> work.
>
>
>
>>Now to the question Is there much of a different in creating the
>>above and option when you DCPROMO add a new domain to an existing forest?
>
>
> Yes. Domain trusts within a forest are automatic,
> two way, transitive (to any child etc domains) while
> external trusts are one way, manual, and intransitive.
>
> External trusts also require NetBIOS name resolution,
> while the automatic domain trusts do not.
>
> There are other (non-trust) implications to having
> multiple forests of course: different schemas, different
> sites and service Configuration partition, different GCs,
> different Enterprise Admins, authorization of DHCP
> servers, etc.
>
>
>

Hi Herb,

Thanks for the reply, i understand what your saying i think this is the
issue i am having. Ok, so i haven't gone very far down this road if i
were to dcpromo and remove AD and re-install with the option of "domain
tree and an existing forest" can i install exchange 2003 in the newsite
and migrate the users over? we have exchange 2000 in the old domain.

Thanks

Hywel

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Buzz" <buzz@ming-uk.com> wrote in message
news:42613b1b$0$26336$db0fefd9@news.zen.co.uk...

> Hi Herb,
>
> Thanks for the reply, i understand what your saying i think this is the
> issue i am having. Ok, so i haven't gone very far down this road if i
> were to dcpromo and remove AD and re-install with the option of "domain
> tree and an existing forest" can i install exchange 2003 in the newsite
> and migrate the users over?

Well, see, but you can do it either -- migration is possible
cross forests if you fixup the external trusts.

One also wonders why you put "site" names in your Domain
DNS names.

> we have exchange 2000 in the old domain.

You could just upgrade too and then all this migration would
be unnecessary.

Generally, one should NOT pick a domain that will ever
change.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb's sorted all your questions, so I'll just reiterate that within a
forest all needed trusts are created for you automatically. You can create
shortcut trusts, but that is only really needed when you've got deep domain
trees, for example.

Now that you've realised that you've got two forests, and you only want one,
there are some considerations you need to think about -particularly with
Exchange. Remember there's only one exchange organisation per forest, and
in order to migrate your domain needs to be in native mode. If you are
migrating mailboxes, you might want to consider using the exchange migration
wizard, as opposed to ADMT, for the mailboxes. MS have actually dropped the
mailbox migration feature from the next version of ADMT because they weren't
happy with its performance...

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:OyIyXo0QFHA.648@TK2MSFTNGP14.phx.gbl...
> Herb's sorted all your questions, so I'll just reiterate that within a
> forest all needed trusts are created for you automatically. You can
create
> shortcut trusts, but that is only really needed when you've got deep
domain
> trees, for example.

Sometime we should talk about "shortcut" trusts.

(Most of the books don't understand the REAL
reasons for using them.)

> Now that you've realised that you've got two forests, and you only want
one,
> there are some considerations you need to think about -particularly with
> Exchange. Remember there's only one exchange organisation per forest, and
> in order to migrate your domain needs to be in native mode. If you are
> migrating mailboxes, you might want to consider using the exchange
migration
> wizard, as opposed to ADMT, for the mailboxes. MS have actually dropped
the
> mailbox migration feature from the next version of ADMT because they
weren't
> happy with its performance...
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>