Domains for offices in different cities..

Discussion in 'Active Directory' started by averied, Mar 14, 2007.

  1. averied

    averied Guest


    I'm implementing a domain structure for our company. For starting, I'm doing
    this in 2 different cities, so now I'm in the first city, and I created a
    Domain in a DC Server. The domain name is

    So my question.. in the next city, I will create, and I
    will join the 2 offices using a VPN connection. Will I be able to do this
    without problems?, or I must have a domain called and make the
    other two child domains??..

    So when configuring the trust between domains, what tools will I need in
    order to place the permissions from one domain to the other?..
    averied, Mar 14, 2007
    1. Advertisements

  2. averied

    Herb Martin Guest

    Why separate domains?

    That may be the correct design but you have given no reasons for the
    separate domains and implied it was due to different cities (which is
    practically never a reason in and of itself.)
    The parent domain is optional -- it may be useful but it is NOT required for
    other two to exist.

    However if you wish it to be the parent it would have need to be created
    either child was created.
    If you join them to the same forest no explicit trust would be necessary.
    (Why create multiple forests if you plan to add trusts?)

    You need a (manual or automatic) trust FROM the Domain with RESOURCES
    TO the Domain with USERS: Resources ---> Users

    If both have both items then you need a trust in each direction. Res <--->
    Herb Martin, Mar 14, 2007
    1. Advertisements

  3. averied

    averied Guest

    Thanks for ur answer..

    Well, the reason I want seperate domain is because:

    1. We are in different cities, and now the company is small, and I am the
    only admin, but maybe in some months, each city will have an admin, so it
    will be nice to have seperate domains for administration. Also maybe in a few
    months we open 2 more offices, in other cities, so it will be all mixed up if
    I dont create seperate domains.

    2. I would like in the directory to have separated the machines in the first
    and second city, and also when we share resources, I would like to have them
    seperated in to domains.

    Anyway, actually I just like it this way, each city with it's on domain, but
    my question is simple, do i need a 3rd domain called with a
    Domain Controller?, or I can connect this 2 domains and done.. Is it so much
    complicated to have 2 domains instead of one??

    averied, Mar 14, 2007
  4. averied

    averied Guest

    Please can I have some help with this??
    averied, Mar 15, 2007
  5. averied

    Jason Meyer Guest

    What you could do is use the OU object for your geographical locations.
    Then what you can do is create local admin groups for each OU and
    delegate admin responsibilities to that group. Then in each city drop a
    DC and make it a GC also. Creating domains for each city is just going
    to up your infrastructure costs(2 dc's per domain) and management can be
    a pain if you want to maintain overall admin of the entire domain
    structure since you have to be careful with trust relationships between
    the domains.

    You may want to go to MS site and read some of the AD deployment docs.
    Remember AD is very flexible and can grow with you so its generally a
    good idea to keep things simple at first. Just make sure you document
    everything you can.

    Jason Meyer, Mar 15, 2007
  6. averied

    Herb Martin Guest

    Usually OUs work best for such simple delegation to other admins.

    Well, if you create trusts the access to the resources is pretty much the
    same as if you put them in the same domain.

    I answered that originally: No you don't.

    But it also looks like you don't really need separate domains at all.
    Herb Martin, Mar 15, 2007
  7. averied

    averied Guest

    Thanks for answering..
    The thing I don't understand is why do I need 2 DCs per domain?...

    Also, for both domains to see each other and establishing trsust, I have to
    create a VPN?.. if so.. when I login to the VPN, what domain the VPN users
    must belong to?.. Do you know any step by step example or something

    averied, Mar 16, 2007
  8. averied

    Herb Martin Guest

    Because if one goes down the domain and even access to the Internet
    just keeps working. And if you trully lose one permanently you don't
    lose your domain with your ONLY DC.
    You don't "have to" create a VPN but if you are trying to cross an open
    network like the Internet it is usually a good idea.

    The VPN servers will usually authenticate with either Certificates OR with
    an account local to the "other endpoint" (either server or domain on the
    opposite side."
    Herb Martin, Mar 16, 2007
  9. averied

    Herb Martin Guest

    No, that isn't the usual strategy. Usually you configure this ONLY for the
    "router VPN endpoints" and setup those router endpoints to funnel the
    traffic for all other machines down the VPN. Only the 2(+) routers need
    the accounts on the "other side".

    Why two domains? But if you use two domains then usually the computers
    and users in that city would have accounts locally.
    I can't tell from this small description.

    If this is all one company sharing resources then likely I would have
    just ONE domain, or company.local perhaps.
    Herb Martin, Mar 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.