users at remote office cannot access shared dirs in main o..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

background:
2 DCs in the main office with domian name: "company.com"

1 DC in the remote office with local domain name: "company.local".
Users at remote office authenticate locally.

Full T1 interenet at both locations which are connected with VPN tunnel.

problem:
Users at remote office are unable to access the shared folders at the main
office. When they try to do it, the user account will be locked out.

I am told to rebuild all the servers, and create a sub-domain for remote
office. However, it's not possible for us now.
Is it possible to change the remote domain, "company.local" to be
"remote.company.com" and solve the problem?

Thanks
calvin
7 answers Last reply
More about users remote office access shared dirs main
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    PinkCrib,

    Why do you need a sub-domain for the remote office(s)? This usually makes
    little sense. The key word being *usually*. Simply make use of Active
    Directory Sites and Services, create a second site ( for the other office ),
    create the appropriate Subnet ( for the 'remote' location ) and associate
    that Subnet with the correct Site! And make sure that you have a
    Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
    have a private T1 or whatnot connecting the two Sites ).

    Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who is
    not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites and
    Services. And there is nothing wrong with that! This is one of the many
    benefits to the news groups.

    Is there a specific business requirement for the sub-domain?

    Usually when you have a sub-domain ( well, what you have actually is two
    separate WIN2000 Forests ) there is a trust in place. The trust simply
    makes resources in one domain available to users in another domain.
    However, you still need to make sure that the Share and NTFS Permissions are
    correct. Even with the trust in place if the permissions are not there then
    there will be no access to the resources.

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    > background:
    > 2 DCs in the main office with domian name: "company.com"
    >
    > 1 DC in the remote office with local domain name: "company.local".
    > Users at remote office authenticate locally.
    >
    > Full T1 interenet at both locations which are connected with VPN tunnel.
    >
    > problem:
    > Users at remote office are unable to access the shared folders at the main
    > office. When they try to do it, the user account will be locked out.
    >
    > I am told to rebuild all the servers, and create a sub-domain for remote
    > office. However, it's not possible for us now.
    > Is it possible to change the remote domain, "company.local" to be
    > "remote.company.com" and solve the problem?
    >
    > Thanks
    > calvin
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Cary,
    Thanks for the reply. What I try to accomplish here is merely make sure
    users at remote office(s) can access the shared folders/files in the main
    office.

    I thought creating sub-domain is the best practice when you have multiple
    sites, and yes we expect to add one or two more satellite offices down the
    road, and we might need to access all the network shares across those
    offices.

    Currently we do have Firewall-to-Firewall VPN between the two Sites and like
    you said they are two separated win2k forest. (which we didn't do it right
    at the beginning I think)

    So, how exactly do we need to accomplish our goal? set up the trust between
    two domains?

    Thanks again.

    Calvin


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    > PinkCrib,
    >
    > Why do you need a sub-domain for the remote office(s)? This usually makes
    > little sense. The key word being *usually*. Simply make use of Active
    > Directory Sites and Services, create a second site ( for the other
    office ),
    > create the appropriate Subnet ( for the 'remote' location ) and associate
    > that Subnet with the correct Site! And make sure that you have a
    > Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
    > have a private T1 or whatnot connecting the two Sites ).
    >
    > Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who
    is
    > not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites and
    > Services. And there is nothing wrong with that! This is one of the many
    > benefits to the news groups.
    >
    > Is there a specific business requirement for the sub-domain?
    >
    > Usually when you have a sub-domain ( well, what you have actually is two
    > separate WIN2000 Forests ) there is a trust in place. The trust simply
    > makes resources in one domain available to users in another domain.
    > However, you still need to make sure that the Share and NTFS Permissions
    are
    > correct. Even with the trust in place if the permissions are not there
    then
    > there will be no access to the resources.
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24012
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    > news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    > > background:
    > > 2 DCs in the main office with domian name: "company.com"
    > >
    > > 1 DC in the remote office with local domain name: "company.local".
    > > Users at remote office authenticate locally.
    > >
    > > Full T1 interenet at both locations which are connected with VPN tunnel.
    > >
    > > problem:
    > > Users at remote office are unable to access the shared folders at the
    main
    > > office. When they try to do it, the user account will be locked out.
    > >
    > > I am told to rebuild all the servers, and create a sub-domain for remote
    > > office. However, it's not possible for us now.
    > > Is it possible to change the remote domain, "company.local" to be
    > > "remote.company.com" and solve the problem?
    > >
    > > Thanks
    > > calvin
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Calvin,

    please see comments in-line....

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    news:O%23SM4PdbFHA.1404@TK2MSFTNGP09.phx.gbl...
    > Cary,
    > Thanks for the reply. What I try to accomplish here is merely make sure
    > users at remote office(s) can access the shared folders/files in the main
    > office.

    okay, that is clear enough and more than simple enough

    > I thought creating sub-domain is the best practice when you have multiple
    > sites, and yes we expect to add one or two more satellite offices down the
    > road, and we might need to access all the network shares across those
    > offices.

    This should be no problem at all. Simply create a Site for each new
    location in the Active Directory Sites and Services MMC. Create a Subnet
    for each location ( for example, Roanoke would be 192.168.1.0, Richmond
    would be 192.168.10.0, Blacksburg would be 192.168.20.0 and Raleigh would be
    192.168.30.0 ) and associate that Subnet with the correct Site. Then it is
    as simple as setting up a Domain Controller in each Site ( make sure that
    the DC has the appropriate IP Address! ). Since this would all be
    'yourdomain.com' there would be no problem accessing shared folders at all!
    Well, assuming that the share and NTFS permissions are correct -AND- that
    you are not talking about huge files ( like PowerPoint or Excel ). Then
    there will be delays, possibly even timeouts....depending on the bandwidth
    of the links.

    Creating Sites essentially does two things: controlls Active Directory
    replication and assists in logging in. You see, the way that it is supposed
    to work in multi-site environments is that the 'local' clients ( let's use
    Richmond for this example ) are supposed to authenticate against the 'local'
    Domain Controller ( so, against RIC-DC01, for example ). Only if that
    'local' DC were not available would the local clients authenticate against a
    Domain Controller in another Site ( 'not available', by default, means that
    RIC-DC01 does not respond within 100 milliseconds ).

    I am not sure that I have read anything stating that setting up a sub-domain
    for each location is a Best Practice. Do you have a link to this, or - as I
    think - are you just going from what you think that you remember. Not a
    problem if that is the case. There is a lot to know and it all kinda gets
    convoluted at times.

    Do some research on 'Branch Offices'. There are some really good articles
    out there about how to best set this up. Microsoft even has a White Paper
    on this.


    > Currently we do have Firewall-to-Firewall VPN between the two Sites and
    > like
    > you said they are two separated win2k forest. (which we didn't do it right
    > at the beginning I think)

    Well, it is a very good thing that there is a Site-to-Site VPN between the
    two locations. While I can not say for sure that you have not set things up
    correctly in the beginning, but based on what you are telling us that you
    want / need I would say that you did indeed have some configuration errors.
    That is okay. We can fix this.


    > So, how exactly do we need to accomplish our goal? set up the trust
    > between
    > two domains?

    Well, setting up a trust between these two Forests might be a short cut, but
    not what I think that you really want to do ( especially if the possibility
    exists that you will have more 'brach offices' ).

    Here is the big picture: I would dcpromo the existing Domain Controller (
    company.local ) and then format that partition and install WIN2000 all over
    again. Once you have set up the Site in Active Directory Sites and Services
    in the main office and associated the Subnet with that Site I would make
    sure that the WIN2000 Server has the correct IP Address. I would then run
    dcpromo, simply adding an additional Domain Controller to an existing
    Domain. I would make sure that this DC is also a Global Catalog Server. I
    would make sure that this DC also runs DDNS and DHCP. I would make sure
    that I then restored ( from back up or, if located on a different partition,
    maybe you do not need to worry about this ) all of the user files and
    folders ( understanding that the permissions are not going to work! ) are
    available. I would then fix this problem.

    Now, the biggest problem is that this office ( company.local ) has it's own
    set of user account objects. I would look into ldifde to bring all of those
    user account objects to an .ldf file and then put that .ldf file on a floppy
    ( as well as somewhere else ). Then, once you have the Site set up and have
    run dcpromo ( to join an additional Domain Controller to an existing Domain
    as mentioned above ) I would import those user account objects back ( but
    you will have to change the dc=company, dc=local for each user to
    dc=company, dc=com.....this should be really really easy in
    Notepad.....Also, make sure that you have the correct location....meaning,
    if you have an OU called Employees and then have sub-OUs called Marketing
    and Sales then the user account objects are going to have DNs that look
    something like this:

    DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=local
    DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=local

    Naturally, you will change this DC=local to DC=com. So, the DNs would look
    like this:

    DN: CN=Cary Shultz, OU=Sales, OU=Employees, DC=company, DC=com
    DN: CN=Clavin Pink, OU=Marketing, OU=Employees, DC=company, DC=com

    When you import the .ldf file you need to make sure that the OU 'Employees'
    does indeed exist and that the sub-OUs 'Sales' and 'Marketing' exist. If
    this is how things are in the company.com domain then everything is okay.
    If this is not how things are then you either need to change the DN: to
    reflect how it is ( maybe it is simply CN=Cary Shultz, CN=Users, DC=company,
    DC=com ) or you need to create those OUs. Then import the .ldf file to
    create the user account objects.

    Is this clear?

    Then give it time to replicate. Also, you will need to make sure that you
    have added the 'new' Site to the DEFAULTIPSITELINK which is located in the
    Active Directory Sites and Services MMC.....The Site Link is pretty much the
    only thing that you need to do as far as this stuff is concerned. The KCC
    with its buddg the ISTG will take care of the rest for you....by default.

    > Thanks again.
    >
    > Calvin
    >
    >
    >
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    >> PinkCrib,
    >>
    >> Why do you need a sub-domain for the remote office(s)? This usually
    >> makes
    >> little sense. The key word being *usually*. Simply make use of Active
    >> Directory Sites and Services, create a second site ( for the other
    > office ),
    >> create the appropriate Subnet ( for the 'remote' location ) and associate
    >> that Subnet with the correct Site! And make sure that you have a
    >> Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
    >> have a private T1 or whatnot connecting the two Sites ).
    >>
    >> Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who
    > is
    >> not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites
    >> and
    >> Services. And there is nothing wrong with that! This is one of the many
    >> benefits to the news groups.
    >>
    >> Is there a specific business requirement for the sub-domain?
    >>
    >> Usually when you have a sub-domain ( well, what you have actually is two
    >> separate WIN2000 Forests ) there is a trust in place. The trust simply
    >> makes resources in one domain available to users in another domain.
    >> However, you still need to make sure that the Share and NTFS Permissions
    > are
    >> correct. Even with the trust in place if the permissions are not there
    > then
    >> there will be no access to the resources.
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24012
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    >> news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    >> > background:
    >> > 2 DCs in the main office with domian name: "company.com"
    >> >
    >> > 1 DC in the remote office with local domain name: "company.local".
    >> > Users at remote office authenticate locally.
    >> >
    >> > Full T1 interenet at both locations which are connected with VPN
    >> > tunnel.
    >> >
    >> > problem:
    >> > Users at remote office are unable to access the shared folders at the
    > main
    >> > office. When they try to do it, the user account will be locked out.
    >> >
    >> > I am told to rebuild all the servers, and create a sub-domain for
    >> > remote
    >> > office. However, it's not possible for us now.
    >> > Is it possible to change the remote domain, "company.local" to be
    >> > "remote.company.com" and solve the problem?
    >> >
    >> > Thanks
    >> > calvin
    >> >
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Forgot to mention that you will also have to join all of the computers to
    the 'new' domain. This will mean either that you site at each one and
    manually do it or that you look at netdom to do this for you. netdom is a
    utility that you get when you install the Support Tools. I would do this on
    all of my Domain Controllers!

    You will then have to log on as each user as well to create the profile. You
    can easily copy the user profile from 'company.local' over to the user
    profile for 'company.com' through the Windows Explorer ( you will need to be
    a member of the local Administrators group on the specific machine to do
    this, though ). There will almost always be minor 'problems' with
    this...mostly cosmetic, though.

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    news:O%23SM4PdbFHA.1404@TK2MSFTNGP09.phx.gbl...
    > Cary,
    > Thanks for the reply. What I try to accomplish here is merely make sure
    > users at remote office(s) can access the shared folders/files in the main
    > office.
    >
    > I thought creating sub-domain is the best practice when you have multiple
    > sites, and yes we expect to add one or two more satellite offices down the
    > road, and we might need to access all the network shares across those
    > offices.
    >
    > Currently we do have Firewall-to-Firewall VPN between the two Sites and
    > like
    > you said they are two separated win2k forest. (which we didn't do it right
    > at the beginning I think)
    >
    > So, how exactly do we need to accomplish our goal? set up the trust
    > between
    > two domains?
    >
    > Thanks again.
    >
    > Calvin
    >
    >
    >
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    >> PinkCrib,
    >>
    >> Why do you need a sub-domain for the remote office(s)? This usually
    >> makes
    >> little sense. The key word being *usually*. Simply make use of Active
    >> Directory Sites and Services, create a second site ( for the other
    > office ),
    >> create the appropriate Subnet ( for the 'remote' location ) and associate
    >> that Subnet with the correct Site! And make sure that you have a
    >> Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
    >> have a private T1 or whatnot connecting the two Sites ).
    >>
    >> Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who
    > is
    >> not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites
    >> and
    >> Services. And there is nothing wrong with that! This is one of the many
    >> benefits to the news groups.
    >>
    >> Is there a specific business requirement for the sub-domain?
    >>
    >> Usually when you have a sub-domain ( well, what you have actually is two
    >> separate WIN2000 Forests ) there is a trust in place. The trust simply
    >> makes resources in one domain available to users in another domain.
    >> However, you still need to make sure that the Share and NTFS Permissions
    > are
    >> correct. Even with the trust in place if the permissions are not there
    > then
    >> there will be no access to the resources.
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24012
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    >> news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    >> > background:
    >> > 2 DCs in the main office with domian name: "company.com"
    >> >
    >> > 1 DC in the remote office with local domain name: "company.local".
    >> > Users at remote office authenticate locally.
    >> >
    >> > Full T1 interenet at both locations which are connected with VPN
    >> > tunnel.
    >> >
    >> > problem:
    >> > Users at remote office are unable to access the shared folders at the
    > main
    >> > office. When they try to do it, the user account will be locked out.
    >> >
    >> > I am told to rebuild all the servers, and create a sub-domain for
    >> > remote
    >> > office. However, it's not possible for us now.
    >> > Is it possible to change the remote domain, "company.local" to be
    >> > "remote.company.com" and solve the problem?
    >> >
    >> > Thanks
    >> > calvin
    >> >
    >> >
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Okay,

    Brain-Fart! You might want to consider using ADMT v2. This will help you
    with the computer account migration / user profile problem! Sometimes (
    well, usually! ) I need to think before I write! Sorry for the oversight.

    So, make sure that there is a trust between the two. The Source Domain (
    HQ ) will need to be in Native Mode. Do your thing with ADMT v2. Make sure
    that everything is okay. dcpromo the remote office DC to member server.
    dcpromo to DC ( as an additional DC in an existing Domain ).....

    It is your choice!

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    news:O%23SM4PdbFHA.1404@TK2MSFTNGP09.phx.gbl...
    > Cary,
    > Thanks for the reply. What I try to accomplish here is merely make sure
    > users at remote office(s) can access the shared folders/files in the main
    > office.
    >
    > I thought creating sub-domain is the best practice when you have multiple
    > sites, and yes we expect to add one or two more satellite offices down the
    > road, and we might need to access all the network shares across those
    > offices.
    >
    > Currently we do have Firewall-to-Firewall VPN between the two Sites and
    > like
    > you said they are two separated win2k forest. (which we didn't do it right
    > at the beginning I think)
    >
    > So, how exactly do we need to accomplish our goal? set up the trust
    > between
    > two domains?
    >
    > Thanks again.
    >
    > Calvin
    >
    >
    >
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    >> PinkCrib,
    >>
    >> Why do you need a sub-domain for the remote office(s)? This usually
    >> makes
    >> little sense. The key word being *usually*. Simply make use of Active
    >> Directory Sites and Services, create a second site ( for the other
    > office ),
    >> create the appropriate Subnet ( for the 'remote' location ) and associate
    >> that Subnet with the correct Site! And make sure that you have a
    >> Firewall-to-Firewall VPN between the two Sites ( assuming that you do not
    >> have a private T1 or whatnot connecting the two Sites ).
    >>
    >> Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator who
    > is
    >> not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites
    >> and
    >> Services. And there is nothing wrong with that! This is one of the many
    >> benefits to the news groups.
    >>
    >> Is there a specific business requirement for the sub-domain?
    >>
    >> Usually when you have a sub-domain ( well, what you have actually is two
    >> separate WIN2000 Forests ) there is a trust in place. The trust simply
    >> makes resources in one domain available to users in another domain.
    >> However, you still need to make sure that the Share and NTFS Permissions
    > are
    >> correct. Even with the trust in place if the permissions are not there
    > then
    >> there will be no access to the resources.
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24012
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    >> news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    >> > background:
    >> > 2 DCs in the main office with domian name: "company.com"
    >> >
    >> > 1 DC in the remote office with local domain name: "company.local".
    >> > Users at remote office authenticate locally.
    >> >
    >> > Full T1 interenet at both locations which are connected with VPN
    >> > tunnel.
    >> >
    >> > problem:
    >> > Users at remote office are unable to access the shared folders at the
    > main
    >> > office. When they try to do it, the user account will be locked out.
    >> >
    >> > I am told to rebuild all the servers, and create a sub-domain for
    >> > remote
    >> > office. However, it's not possible for us now.
    >> > Is it possible to change the remote domain, "company.local" to be
    >> > "remote.company.com" and solve the problem?
    >> >
    >> > Thanks
    >> > calvin
    >> >
    >> >
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Cary,
    Wow!! Let me start by saying "Thank you!"
    Thank you for all your detailed information and your times. It's really
    really helpful to me.

    After reading your reply, I understand at least that we need to rebuild the
    domain at the remote office to accomplish our goal.

    However, the IT vendor that I'm working with push us to rebuild the whole
    domains, including both main and remote locations to use company.local
    instead of company.com. I'm still trying to figure out the best solution for
    us. Thanks again!

    Regards
    calvin


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:OY2DEp7bFHA.2520@TK2MSFTNGP09.phx.gbl...
    > Okay,
    >
    > Brain-Fart! You might want to consider using ADMT v2. This will help you
    > with the computer account migration / user profile problem! Sometimes (
    > well, usually! ) I need to think before I write! Sorry for the oversight.
    >
    > So, make sure that there is a trust between the two. The Source Domain (
    > HQ ) will need to be in Native Mode. Do your thing with ADMT v2. Make
    sure
    > that everything is okay. dcpromo the remote office DC to member server.
    > dcpromo to DC ( as an additional DC in an existing Domain ).....
    >
    > It is your choice!
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24012
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    > news:O%23SM4PdbFHA.1404@TK2MSFTNGP09.phx.gbl...
    > > Cary,
    > > Thanks for the reply. What I try to accomplish here is merely make sure
    > > users at remote office(s) can access the shared folders/files in the
    main
    > > office.
    > >
    > > I thought creating sub-domain is the best practice when you have
    multiple
    > > sites, and yes we expect to add one or two more satellite offices down
    the
    > > road, and we might need to access all the network shares across those
    > > offices.
    > >
    > > Currently we do have Firewall-to-Firewall VPN between the two Sites and
    > > like
    > > you said they are two separated win2k forest. (which we didn't do it
    right
    > > at the beginning I think)
    > >
    > > So, how exactly do we need to accomplish our goal? set up the trust
    > > between
    > > two domains?
    > >
    > > Thanks again.
    > >
    > > Calvin
    > >
    > >
    > >
    > >
    > >
    > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > > news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    > >> PinkCrib,
    > >>
    > >> Why do you need a sub-domain for the remote office(s)? This usually
    > >> makes
    > >> little sense. The key word being *usually*. Simply make use of Active
    > >> Directory Sites and Services, create a second site ( for the other
    > > office ),
    > >> create the appropriate Subnet ( for the 'remote' location ) and
    associate
    > >> that Subnet with the correct Site! And make sure that you have a
    > >> Firewall-to-Firewall VPN between the two Sites ( assuming that you do
    not
    > >> have a private T1 or whatnot connecting the two Sites ).
    > >>
    > >> Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator
    who
    > > is
    > >> not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites
    > >> and
    > >> Services. And there is nothing wrong with that! This is one of the
    many
    > >> benefits to the news groups.
    > >>
    > >> Is there a specific business requirement for the sub-domain?
    > >>
    > >> Usually when you have a sub-domain ( well, what you have actually is
    two
    > >> separate WIN2000 Forests ) there is a trust in place. The trust simply
    > >> makes resources in one domain available to users in another domain.
    > >> However, you still need to make sure that the Share and NTFS
    Permissions
    > > are
    > >> correct. Even with the trust in place if the permissions are not there
    > > then
    > >> there will be no access to the resources.
    > >>
    > >> --
    > >> Cary W. Shultz
    > >> Roanoke, VA 24012
    > >> Microsoft Active Directory MVP
    > >>
    > >> http://www.activedirectory-win2000.com
    > >> http://www.grouppolicy-win2000.com
    > >>
    > >>
    > >>
    > >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    > >> news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    > >> > background:
    > >> > 2 DCs in the main office with domian name: "company.com"
    > >> >
    > >> > 1 DC in the remote office with local domain name: "company.local".
    > >> > Users at remote office authenticate locally.
    > >> >
    > >> > Full T1 interenet at both locations which are connected with VPN
    > >> > tunnel.
    > >> >
    > >> > problem:
    > >> > Users at remote office are unable to access the shared folders at the
    > > main
    > >> > office. When they try to do it, the user account will be locked out.
    > >> >
    > >> > I am told to rebuild all the servers, and create a sub-domain for
    > >> > remote
    > >> > office. However, it's not possible for us now.
    > >> > Is it possible to change the remote domain, "company.local" to be
    > >> > "remote.company.com" and solve the problem?
    > >> >
    > >> > Thanks
    > >> > calvin
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Calvin,

    You are welcome.

    Regarding 'company.com' vs. 'company.local' - this is pretty much a moot
    point. If you look through this news group - as well as through the DNS
    news group - you will see that this is a hotly contested topic with lots of
    good reasons on both sides. I would say for the sake of simplicity to use
    'company.com' for both your internal and external names space.


    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    news:eHK87dGcFHA.1148@tk2msftngp13.phx.gbl...
    > Cary,
    > Wow!! Let me start by saying "Thank you!"
    > Thank you for all your detailed information and your times. It's really
    > really helpful to me.
    >
    > After reading your reply, I understand at least that we need to rebuild
    > the
    > domain at the remote office to accomplish our goal.
    >
    > However, the IT vendor that I'm working with push us to rebuild the whole
    > domains, including both main and remote locations to use company.local
    > instead of company.com. I'm still trying to figure out the best solution
    > for
    > us. Thanks again!
    >
    > Regards
    > calvin
    >
    >
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:OY2DEp7bFHA.2520@TK2MSFTNGP09.phx.gbl...
    >> Okay,
    >>
    >> Brain-Fart! You might want to consider using ADMT v2. This will help
    >> you
    >> with the computer account migration / user profile problem! Sometimes (
    >> well, usually! ) I need to think before I write! Sorry for the
    >> oversight.
    >>
    >> So, make sure that there is a trust between the two. The Source Domain (
    >> HQ ) will need to be in Native Mode. Do your thing with ADMT v2. Make
    > sure
    >> that everything is okay. dcpromo the remote office DC to member server.
    >> dcpromo to DC ( as an additional DC in an existing Domain ).....
    >>
    >> It is your choice!
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24012
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    >> news:O%23SM4PdbFHA.1404@TK2MSFTNGP09.phx.gbl...
    >> > Cary,
    >> > Thanks for the reply. What I try to accomplish here is merely make sure
    >> > users at remote office(s) can access the shared folders/files in the
    > main
    >> > office.
    >> >
    >> > I thought creating sub-domain is the best practice when you have
    > multiple
    >> > sites, and yes we expect to add one or two more satellite offices down
    > the
    >> > road, and we might need to access all the network shares across those
    >> > offices.
    >> >
    >> > Currently we do have Firewall-to-Firewall VPN between the two Sites and
    >> > like
    >> > you said they are two separated win2k forest. (which we didn't do it
    > right
    >> > at the beginning I think)
    >> >
    >> > So, how exactly do we need to accomplish our goal? set up the trust
    >> > between
    >> > two domains?
    >> >
    >> > Thanks again.
    >> >
    >> > Calvin
    >> >
    >> >
    >> >
    >> >
    >> >
    >> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    >> > news:%23gogz6bbFHA.228@TK2MSFTNGP12.phx.gbl...
    >> >> PinkCrib,
    >> >>
    >> >> Why do you need a sub-domain for the remote office(s)? This usually
    >> >> makes
    >> >> little sense. The key word being *usually*. Simply make use of
    >> >> Active
    >> >> Directory Sites and Services, create a second site ( for the other
    >> > office ),
    >> >> create the appropriate Subnet ( for the 'remote' location ) and
    > associate
    >> >> that Subnet with the correct Site! And make sure that you have a
    >> >> Firewall-to-Firewall VPN between the two Sites ( assuming that you do
    > not
    >> >> have a private T1 or whatnot connecting the two Sites ).
    >> >>
    >> >> Using sub-domains is *usually* the sign of a WINNT 4.0 Administrator
    > who
    >> > is
    >> >> not all that familiar with WIN2000 ( or, now, WIN2003 ) and it's Sites
    >> >> and
    >> >> Services. And there is nothing wrong with that! This is one of the
    > many
    >> >> benefits to the news groups.
    >> >>
    >> >> Is there a specific business requirement for the sub-domain?
    >> >>
    >> >> Usually when you have a sub-domain ( well, what you have actually is
    > two
    >> >> separate WIN2000 Forests ) there is a trust in place. The trust
    >> >> simply
    >> >> makes resources in one domain available to users in another domain.
    >> >> However, you still need to make sure that the Share and NTFS
    > Permissions
    >> > are
    >> >> correct. Even with the trust in place if the permissions are not
    >> >> there
    >> > then
    >> >> there will be no access to the resources.
    >> >>
    >> >> --
    >> >> Cary W. Shultz
    >> >> Roanoke, VA 24012
    >> >> Microsoft Active Directory MVP
    >> >>
    >> >> http://www.activedirectory-win2000.com
    >> >> http://www.grouppolicy-win2000.com
    >> >>
    >> >>
    >> >>
    >> >> "PinkCrib" <webmaster@pinkcrib.com> wrote in message
    >> >> news:OPwevyTbFHA.2996@TK2MSFTNGP10.phx.gbl...
    >> >> > background:
    >> >> > 2 DCs in the main office with domian name: "company.com"
    >> >> >
    >> >> > 1 DC in the remote office with local domain name: "company.local".
    >> >> > Users at remote office authenticate locally.
    >> >> >
    >> >> > Full T1 interenet at both locations which are connected with VPN
    >> >> > tunnel.
    >> >> >
    >> >> > problem:
    >> >> > Users at remote office are unable to access the shared folders at
    >> >> > the
    >> > main
    >> >> > office. When they try to do it, the user account will be locked out.
    >> >> >
    >> >> > I am told to rebuild all the servers, and create a sub-domain for
    >> >> > remote
    >> >> > office. However, it's not possible for us now.
    >> >> > Is it possible to change the remote domain, "company.local" to be
    >> >> > "remote.company.com" and solve the problem?
    >> >> >
    >> >> > Thanks
    >> >> > calvin
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Office Active Directory Windows