| Author |
Message |
DH225
Guest
|
 Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Creating 1st Active Directory |
|
|
We belong to an organization that consists of many companies throughout the
world. Each company has it's own NT domin controller. Due to a disaster our
company lost it's PDC and BDC...we took the opportunity to upgrade to Windows
2003 and implement Active Directory.
In the coming months our sister companies and HQ will also be upgrading to
AD. Will they need to join our domain/forest or will we be able to join
theirs? The concern is that we are using Exchange 5.5 and will be migrating
to Exchange 2003...I know that you cannot have one organization spanning
multiple forests. Would using federated forests bypass the problem?
Thanks
DH |
|
| Back to top |
|
 |
Herb Martin
Guest
|
| Posted:
Thu Nov 10, 2005 9:51 am Post subject:
Re: Creating 1st Active Directory |
|
|
"DH225" <DH225@discussions.microsoft.com> wrote in message
news:640FAA2B-254A-4726-A70F-154E7BB011CA@microsoft.com...
| Quote: | We belong to an organization that consists of many companies throughout
the
world. Each company has it's own NT domin controller. Due to a disaster
our
company lost it's PDC and BDC...we took the opportunity to upgrade to
Windows
2003 and implement Active Directory.
|
?
| Quote: | In the coming months our sister companies and HQ will also be upgrading to
AD. Will they need to join our domain/forest
|
That is a choice...
| Quote: | ...or will we be able to join theirs?
|
No. Forest trusts MAY become possible but you cannot (in general)
merge (graft) two forests together. Forest level trusts approximate
this but are not precisely the same and these require both domains to
be in "Win2003 Forest Functional Level".
| Quote: | The concern is that we are using Exchange 5.5 and will be migrating
to Exchange 2003...I know that you cannot have one organization spanning
multiple forests. Would using federated forests bypass the problem?
|
Well, you "can" but it's a lot more trouble.
It might make sense to start over (again) now before you develop you domain.
Set a policy, architecture, and "root forest domain" for the entire company
and re-install you domain into this forest (now while you are just getting
installed again.)
It doesn't seem your domain was very important if there were no backups.
The root forest domain requires much more careful protection and backups.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site] |
|
| Back to top |
|
|
70-297 exam format
Guest
|
| Posted:
Thu Nov 10, 2005 1:50 pm Post subject:
Re: Creating 1st Active Directory |
|
|
May I ask you somthing,you said your comapany is one of the company in a big
organization which has got many companies.That means every company has it's
own domain name registered with the internet.Is that correct!!!!
If that is the case then how many forest domains you have already got.
"Herb Martin" wrote:
| Quote: | "DH225" <DH225@discussions.microsoft.com> wrote in message
news:640FAA2B-254A-4726-A70F-154E7BB011CA@microsoft.com...
We belong to an organization that consists of many companies throughout
the
world. Each company has it's own NT domin controller. Due to a disaster
our
company lost it's PDC and BDC...we took the opportunity to upgrade to
Windows
2003 and implement Active Directory.
?
In the coming months our sister companies and HQ will also be upgrading to
AD. Will they need to join our domain/forest
That is a choice...
...or will we be able to join theirs?
No. Forest trusts MAY become possible but you cannot (in general)
merge (graft) two forests together. Forest level trusts approximate
this but are not precisely the same and these require both domains to
be in "Win2003 Forest Functional Level".
The concern is that we are using Exchange 5.5 and will be migrating
to Exchange 2003...I know that you cannot have one organization spanning
multiple forests. Would using federated forests bypass the problem?
Well, you "can" but it's a lot more trouble.
It might make sense to start over (again) now before you develop you domain.
Set a policy, architecture, and "root forest domain" for the entire company
and re-install you domain into this forest (now while you are just getting
installed again.)
It doesn't seem your domain was very important if there were no backups.
The root forest domain requires much more careful protection and backups.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
|
| Back to top |
|
|
DH225
Guest
|
| Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
Re: Creating 1st Active Directory |
|
|
Yes, each company has one or more internet domain names. To date we are the
only company that has created a forest domain.
Thanks
"70-297 exam format" wrote:
| Quote: | May I ask you somthing,you said your comapany is one of the company in a big
organization which has got many companies.That means every company has it's
own domain name registered with the internet.Is that correct!!!!
If that is the case then how many forest domains you have already got.
"Herb Martin" wrote:
"DH225" <DH225@discussions.microsoft.com> wrote in message
news:640FAA2B-254A-4726-A70F-154E7BB011CA@microsoft.com...
We belong to an organization that consists of many companies throughout
the
world. Each company has it's own NT domin controller. Due to a disaster
our
company lost it's PDC and BDC...we took the opportunity to upgrade to
Windows
2003 and implement Active Directory.
?
In the coming months our sister companies and HQ will also be upgrading to
AD. Will they need to join our domain/forest
That is a choice...
...or will we be able to join theirs?
No. Forest trusts MAY become possible but you cannot (in general)
merge (graft) two forests together. Forest level trusts approximate
this but are not precisely the same and these require both domains to
be in "Win2003 Forest Functional Level".
The concern is that we are using Exchange 5.5 and will be migrating
to Exchange 2003...I know that you cannot have one organization spanning
multiple forests. Would using federated forests bypass the problem?
Well, you "can" but it's a lot more trouble.
It might make sense to start over (again) now before you develop you domain.
Set a policy, architecture, and "root forest domain" for the entire company
and re-install you domain into this forest (now while you are just getting
installed again.)
It doesn't seem your domain was very important if there were no backups.
The root forest domain requires much more careful protection and backups.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Fri Nov 11, 2005 1:50 am Post subject:
Re: Creating 1st Active Directory |
|
|
Honestly you need to step back, call in some experts and have them look at what
you have and then get everyone that could possibly be involved into a room and
start discussing how this is going to be set up. Windows AD is not like the NT4
domain, either you guys will be together or you will be separate. You need to
work it out up front and understand all of the pros and cons of both configs
before you make ANY decisions or make any changes.
If you need everyone on the same mailsystem (ORG) then I recommend one of two
things. A single forest or an Exchange resource forest. If you are thinking each
company is going to have a domain and their own domain admins I would almost
immediately start thinking Exchange resource forest that trusts all of the
forests for the separate companies. You could even have a third party come in
and run that forest on your behalf so the different companies aren't arguing
over who has control of it.
Basically, go to the whomever is in charge of IT overall for the company, have
them contact some well known good vendor such as Hewlett-Packard Consulting or
Microsoft Consulting and have them come in and figure out a plan for you. It
will not be cheap but it will be much cheaper than trying to do this in a rag
tag ad hoc one off fashion.
joe
DH225 wrote:
| Quote: | We belong to an organization that consists of many companies throughout the
world. Each company has it's own NT domin controller. Due to a disaster our
company lost it's PDC and BDC...we took the opportunity to upgrade to Windows
2003 and implement Active Directory.
In the coming months our sister companies and HQ will also be upgrading to
AD. Will they need to join our domain/forest or will we be able to join
theirs? The concern is that we are using Exchange 5.5 and will be migrating
to Exchange 2003...I know that you cannot have one organization spanning
multiple forests. Would using federated forests bypass the problem?
Thanks
DH |
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Fri Nov 11, 2005 9:09 am Post subject:
Re: Creating 1st Active Directory |
|
|
I answered what you (the O.P) asked by Joe was
helpful enough to answer what you NEEDED to hear.
Listen to Joe.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:em9oT8k5FHA.3544@TK2MSFTNGP09.phx.gbl...
| Quote: | Honestly you need to step back, call in some experts and have them look at
what you have and then get everyone that could possibly be involved into a
room and start discussing how this is going to be set up. Windows AD is
not like the NT4 domain, either you guys will be together or you will be
separate. You need to work it out up front and understand all of the pros
and cons of both configs before you make ANY decisions or make any
changes.
If you need everyone on the same mailsystem (ORG) then I recommend one of
two things. A single forest or an Exchange resource forest. If you are
thinking each company is going to have a domain and their own domain
admins I would almost immediately start thinking Exchange resource forest
that trusts all of the forests for the separate companies. You could even
have a third party come in and run that forest on your behalf so the
different companies aren't arguing over who has control of it.
Basically, go to the whomever is in charge of IT overall for the company,
have them contact some well known good vendor such as Hewlett-Packard
Consulting or Microsoft Consulting and have them come in and figure out a
plan for you. It will not be cheap but it will be much cheaper than trying
to do this in a rag tag ad hoc one off fashion.
joe
DH225 wrote:
We belong to an organization that consists of many companies throughout
the world. Each company has it's own NT domin controller. Due to a
disaster our company lost it's PDC and BDC...we took the opportunity to
upgrade to Windows 2003 and implement Active Directory.
In the coming months our sister companies and HQ will also be upgrading
to AD. Will they need to join our domain/forest or will we be able to
join theirs? The concern is that we are using Exchange 5.5 and will be
migrating to Exchange 2003...I know that you cannot have one organization
spanning multiple forests. Would using federated forests bypass the
problem?
Thanks
DH |
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
Re: Creating 1st Active Directory |
|
|
LOL.
Just painful memories coming out. I have walked into too many situations when
asked for help on AD where something like this has happened. AD isn't something
that can just grow to exist in a company. Without a good overall plan it is a
disaster and almost always results in a tear down and a rebuild to get it right
which is EXTREMELY expensive and painful.
At one point about 3 or so years ago I had a company that asked my consulting
company to allow me to come work with them on getting an account to convert
another company to Windows 2000. It was all straight hourly for me at about $300
an hour so I was like, no problem, plus I like to keep my employers happy. So
anyway, I didn't get any time to speak with the architect of this other
consulting company, I was simply dragged to the main customer meeting used to
determine what consulting firm they would go with to do the actual work and I
was there to "lend weight" to the consulting company and show off how smart "we"
were by knocking any ad hoc questions down the customer may have used to "out"
the consulting firm in interview. Plus I had some rather heavy duty migration
experience with a Fortune 5 company which was to show that "we" knew what we
were doing in a large environment. Well within 2-3 minutes of the meeting
starting I *KNEW* that the architect probably hadn't done anything outside the
scale of about 500 users and here he was trying to sell himself on a job for
tens of thousands of users and pointing at how I had handled hundreds of
thousands of users. Well he would say things that were just dead wrong but I
couldn't point them out as that would have been seen as "infighting" in the
meeting between our own folks so I focused on answering as correctly and
completely any questions asked directly of me in such a way as to not point out
that the architect had no clue what he was talking about. After we left I tore
into the architect and his handler and said they didn't deserve that contract as
they would just screw it up because they had NO CLUE. In the end, the customer
wasn't as stupid as the consulting firm thought because they picked out some of
the same things I had and knew they were worthless, however, they wanted me
personally to come assist as needed. I had to turn it down though because my
consulting company I was with at the time had a partnership with the other
consulting company and it would have been sort of like a back stab.
All of that to say that there are a lot of smaller companies out there telling
people they know how to do this stuff, get references and speak to those
references. Otherwise go to the big boys like HP and Microsoft which has the
most migration consulting experience out there and very deep technical resources
that can be called in as necessary. I wouldn't even really look at the local
Microsoft "partners" too much either because more times than not my MCS friends
are going out on gigs to bail those partners out when they screw things up.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Herb Martin wrote:
| Quote: | I answered what you (the O.P) asked by Joe was
helpful enough to answer what you NEEDED to hear.
Listen to Joe.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in