Child domain across WAN and local child domain

Discussion in 'Active Directory' started by Hiro, Jul 13, 2005.

  1. Hiro

    Hiro Guest

    Only have one domain (call it

    Location A:
    -Have a main domain controller (call it alpha) that is setup with dhcp, dns,
    and ad.
    -All local users will authenticate to this main controller.
    -On the same LAN want to have a child domain controller (call it beta) that
    has all the information of the first but does not have access to change any
    information, it also needs to recieve regular updates. This is setup for our
    website authentication and will only be used by a few users.

    Location B:
    -Connected to location A via a dedicated T1 (1.5 Mbit/1.5 Mbit).
    -Want a child domain controller (call it gamma) that all users in location B
    authenticate to.
    -Gamma should recieve its catalog from alpha but also be able to make
    changes and send those changes back to alpha.

    -How should I setup the child domains to recieve the updates and allow gamma
    to make changes to the catalog?
    Hiro, Jul 13, 2005
    1. Advertisements

  2. How should I setup the child domains to recieve the updates and allow
    You don't need a child domain for scenario two. Nor do you really need a
    child domain for scenario one -that's a serious security problem!

    I'll elaborate under each statement...

    I believe there's a major misconception here as to what this domain is for.
    Firstly, it is impossible to guarantee the lack of access you want. The
    forest is now the true security boundary; the domain is an administrative
    boundary (and also a replication boundary).

    I have no idea what kind of regular updates you are referring to, but the
    necessary naming contexts are indeed replicated frequently.

    Do not create a child domain for web-based access. Create a separate forest
    or use an AD/AM directory. Trust no one, and never allow direct access to
    your directory from insecure sources.

    Why? This is an ideal solution for a separate site with a DC from domain-a
    available to service local (to the site) users and computers.

    Best bet is to create another DC in the existing domain. Make this a DHCP,
    DNS and GC server. Create sites and have a DC in each one.
    Paul Williams [MVP], Jul 14, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.