|
microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
|
|
|
Posted by Alex on August 5, 2008, 7:23 am
Please log in for more thread options
Hi. I am trying to determine the best way to connect three domains so that
they can share resources and centralise user logons. Ideally once the
domains are connected, it would be preferred if users could logon with one
user account into a new parent domain/forest and gain access to their old
domain resources as well as newly connected domains all using their new user
account.
The three existing domains are single domains in their own forest, they are
all 2003 native domains/forests, Exchange is not used in any of the domains.
Networking has been put in place between the three seperate networks such
that they are all now connected. What I was hoping to do was to create a
new fourth domain/forest and connect the existing three domains using
trusts. User accounts and groups would then be created in the new fourth
parent domain/forest and user groups would be modified/created in the old
domains to give access to the new accounts. The long term plan is to slowly
migrate all the resources from the three seperate domains into the new
fourth parent domain/forest and eventually retire the old domains.
Can anyone recommend if this is the best way to approach this problem ? Do
you also have any advice on the types of trusts I would need to create to
accomplish this ?
Thanks,
Alex.
|
|
Posted by Paul Bergson [MVP-DS] on August 5, 2008, 8:59 am
Please log in for more thread options
Sounds like you have a good plan to move forward. I would create a forest
trust and then use ADMT v3 to move the objects across. I would use robocopy
to move the data across. There is no need to create any new users, using
sidHistory should allow you to move from the old to the new without any loss
of functionality.
Source must be nt4, 2000 or 2003
Target must be 2000 or 2003
First setup the dns so the two domains know of each others name space.
http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html
Then establish a trust between the two forests (I'm assuming it is a new
forest)
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/7929b0c4-efe1-409c-99e3-efe9815f426d.mspx
http://technet2.microsoft.com/windowsserver/en/library/7929b0c4-efe1-409c-99e3-efe9815f426d1033.mspx?mfr=true
Finally you can use the migration tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
Webcast
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
show/hide quoted text
> Hi. I am trying to determine the best way to connect three domains so that
> they can share resources and centralise user logons. Ideally once the
> domains are connected, it would be preferred if users could logon with one
> user account into a new parent domain/forest and gain access to their old
> domain resources as well as newly connected domains all using their new
> user account.
> The three existing domains are single domains in their own forest, they
> are all 2003 native domains/forests, Exchange is not used in any of the
> domains. Networking has been put in place between the three seperate
> networks such that they are all now connected. What I was hoping to do
> was to create a new fourth domain/forest and connect the existing three
> domains using trusts. User accounts and groups would then be created in
> the new fourth parent domain/forest and user groups would be
> modified/created in the old domains to give access to the new accounts.
> The long term plan is to slowly migrate all the resources from the three
> seperate domains into the new fourth parent domain/forest and eventually
> retire the old domains.
> Can anyone recommend if this is the best way to approach this problem ?
> Do you also have any advice on the types of trusts I would need to create
> to accomplish this ?
> Thanks,
> Alex.
|
|
Posted by Meinolf Weber on August 5, 2008, 6:07 pm
Please log in for more thread options Hello Paul Bergson [MVP-DS],
Did you mean this one?
http://support.microsoft.com/kb/819145/
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
show/hide quoted text
> Sounds like you have a good plan to move forward. I would create a
> forest trust and then use ADMT v3 to move the objects across. I would
> use robocopy to move the data across. There is no need to create any
> new users, using sidHistory should allow you to move from the old to
> the new without any loss of functionality.
>
> Source must be nt4, 2000 or 2003
> Target must be 2000 or 2003
> First setup the dns so the two domains know of each others name space.
> http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295
> 199,sid63_gci1104911,00.html
>
> Then establish a trust between the two forests (I'm assuming it is a
> new
>
> forest)
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
> /ServerHelp/7929b0c4-efe1-409c-99e3-efe9815f426d.mspx
>
> http://technet2.microsoft.com/windowsserver/en/library/7929b0c4-efe1-4
> 09c-99e3-efe9815f426d1033.mspx?mfr=true
>
> Finally you can use the migration tool:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A
> -466D-A8E8-AFF85AD3D212&displaylang=en
> Webcast
> http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A
> -466D-A8E8-AFF85AD3D212&displaylang=en
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>> Hi. I am trying to determine the best way to connect three domains so
>> that they can share resources and centralise user logons. Ideally
>> once the domains are connected, it would be preferred if users could
>> logon with one user account into a new parent domain/forest and gain
>> access to their old domain resources as well as newly connected
>> domains all using their new user account.
>>
>> The three existing domains are single domains in their own forest,
>> they are all 2003 native domains/forests, Exchange is not used in any
>> of the domains. Networking has been put in place between the three
>> seperate networks such that they are all now connected. What I was
>> hoping to do was to create a new fourth domain/forest and connect the
>> existing three domains using trusts. User accounts and groups would
>> then be created in the new fourth parent domain/forest and user
>> groups would be modified/created in the old domains to give access to
>> the new accounts. The long term plan is to slowly migrate all the
>> resources from the three seperate domains into the new fourth parent
>> domain/forest and eventually retire the old domains.
>>
>> Can anyone recommend if this is the best way to approach this problem
>> ? Do you also have any advice on the types of trusts I would need to
>> create to accomplish this ?
>>
>> Thanks,
>> Alex.
|
|
|
XML Sitemap
> they can share resources and centralise user logons. Ideally once the
> domains are connected, it would be preferred if users could logon with one
> user account into a new parent domain/forest and gain access to their old
> domain resources as well as newly connected domains all using their new
> user account.
> The three existing domains are single domains in their own forest, they
> are all 2003 native domains/forests, Exchange is not used in any of the
> domains. Networking has been put in place between the three seperate
> networks such that they are all now connected. What I was hoping to do
> was to create a new fourth domain/forest and connect the existing three
> domains using trusts. User accounts and groups would then be created in
> the new fourth parent domain/forest and user groups would be
> modified/created in the old domains to give access to the new accounts.
> The long term plan is to slowly migrate all the resources from the three
> seperate domains into the new fourth parent domain/forest and eventually
> retire the old domains.
> Can anyone recommend if this is the best way to approach this problem ?
> Do you also have any advice on the types of trusts I would need to create
> to accomplish this ?
> Thanks,
> Alex.