Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Hman,
see comments in-line......
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Hman" <Hman@discussions.microsoft.com> wrote in message
news:32057132-00CF-4503-8922-FAA3EC96FC05@microsoft.com...
> No different password requirements.
That is one of the major reasons for having 'multiple' domains. Not the
only one, but one of ( if not the ) the biggest reason. You mentioned
political reasons. Sometimes this can not be avoided. However, if the IT
people can effectively communicate the pros and cons that may be
averted......
Here si a good link for designing WIN2000 AD environments...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/w2kdomar.mspx
> Like always the needs change daily.
Only poor management and / or planning will allow this. This is very
typical of what I call 'reactionaly management'. If there is a solid plan
in place or if there is a solid management team in place then the needs do
not change daily. And I am not cricising you. You see it all the time.
The cause of this is usually people who have passed their level of ability
holding positions of power ( read: Peter Principle ) .
> Looks like the different OU might be an option.
Probably would have been a really good solution before the sub-domains were
created. Now, it is probably a moot point. What normally happens when you
have one domain ( yourdomain.com ) that is really comprised of several
divisions or departments or companies ( or whatever ) is that you create an
OU for each division or department or company. All of the objects for that
division / department / company will be placed in that OU. Naturally, if it
fits your scheme, you can have nested OUs ( maybe one for the computer
account objects and one for the user account objects....this is one of many
many many possible situations ). You can delegate certain tasks to specific
groups inside of each OU ( so the help desk in companyA can reset the
password for the user account objects in *O*N*L*Y* companyA ). There are a
lot of possible senarios for delegation.
Now, why do you do this? There are many reasons. The big two are that 1)
you cut down on Administrative Overhead and that 2) you cut down on hardware
/ software costs ( you need at least one Domain Controller for each domain
that you have.....there are two costs associated with that: the hardware and
the software ).
Since you have already set up the multiple sub-domains ( so, to go with the
example that I gave above - one for each division in your company, for
example ) using OUs may not make much sense. It might be worth considering
to change. But, this is usually a really difficult thing to
do.....especially given the 'political reasons' for your current set up.
Whatever those might be....
> How would one limit their access to the GAL?
The GAL that is available is the 'default global address list'. You can
create different global address lists and make sure that the permissions are
properly set. You might want to post this question in the Exchange Admin
news group....
HTH,
Cary
This would be a question better suited for the Exchange Admin news group.
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Another very good way to do this. And most probably a much better way.
>> This is the way that I would do it! I was going to answer along these
>> lines
>> but wanted to find out - as per my ending questions - why the original
>> poster was using multiple sub-domains in the first place....maybe there
>> are
>> different password requirements? Who knows. Looks like we still do
>> not...
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>>
http://www.activedirectory-win2000.com
>>
http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in
>> message
>> news:3_1736591_df2702b1231db1c6fe470a441924c8f9@windowsforumz.com...
>> > "Cary Shultz A.D. M" wrote:
>> > > Have you considered another domain tree in the forest?
>> > > Something like
>> > > 'yourdomain.com' for the subsidiary. So, it is a member of
>> > > the xyz.com
>> > > forest but it is another tree. Essentially, you would have two
>> > > trees in the
>> > > forest.
>> > >
>> > > Now, does the subsidiary need to be a 'security boundary'? If
>> > > that is the
>> > > case then you would need another forest!
>> > >
>> > > Is there any reason why you have sub-domains instead of having
>> > > made use of
>> > > Sites ( in Active Directory Sites and Services ).
>> > >
>> > > --
>> > > Cary W. Shultz
>> > > Roanoke, VA 24012
>> > > Microsoft Active Directory MVP
>> > >
>> > >
http://www.activedirectory-win2000.com
>> > >
http://www.grouppolicy-win2000.com
>> > >
>> > >
>> > >
>> > > "Hman" <Hman@discussions.microsoft.com> wrote in message
>> > > news:8346798F-BF8A-4E6E-82F5-7D7276FCB7F6@microsoft.com...
>> > > > Hi, we have a W2K AD/Domain infrastructure. See below:
>> > > >
>> > > > xyz.com (root) (forest)
>> > > >
>> > > > eu.xyz.com, ap.xyz.com, us.xyz.com (sub domains)
>> > > >
>> > > > We run the following services for these domains:
>> > > > Email- E2K, plus archiving etc
>> > > > Good Mobile Treo Services
>> > > > File and Printing etc
>> > > > DNS/WINS/DHCP
>> > > >
>> > > > Our company has setup a subsidiary company who needs:
>> > > > A separate domain
>> > > > Unique email address
>> > > > Fileserver
>> > > > Good services (Treo)
>> > > > Archiving etc
>> > > >
>> > > > Any suggestions for this domain setup?
>> > > >
>> > > > Thanks
>> > > >
>> > > > Hartley
>> > > >
>> >
>> > What's is the main reason to create an additional domain?
>> >
>> > Would an OU in one of the existing domains be enough?
>> >
>> > In my opinion if you want to use separate e-mail addresses you could
>> > create a new recipient policy within exchange that only applies to
>> > those users. There is no need to create an additional domain just for
>> > the separate e-mail addresses
>> >
>> > Cheers
>> >
>> > --
>> > Posted using the
http://www.windowsforumz.com interface, at author's
>> > request
>> > Articles individually checked for conformance to usenet standards
>> > Topic URL:
>> >
http://www.windowsforumz.com/Active-Directory-Subsidiary-intergration-current-domain-structure-ftopict548599.html
>> > Visit Topic URL to contact author (reg. req'd). Report abuse:
>> >
http://www.windowsforumz.com/eform.php?p=1736591
>>
>>
>>
Facebook
Twitter
Instagram