I'm trying to gain an understanding of trees, domains, and sites. Consider
I have a 20-computer domain called MyCompany.com and everything is running
smoothly. The domain has 2 domain controllers, each one of which runs DNS.
Now my company wants to open branch offices in Iraq and NewYork. So my plan
is to create two more domains. When done, I will then have these three
Now here's where I get confused... According to the definition of "tree" (in
my W2K reference manual), all three of these domains are part of the same
tree. But what are the implications of 3 domains sharing the same "tree"
other than the fact that they have the same namespace (MyCompany.com)? It
appears what we have here in reality is just three separate domains. The
domains don't really know anything about each other. I want to change that.
So that leads me to some questions?
1) Since users in any of the three domains will frequently access resources
on either of the *other* two domains, a "trust" needs to be set up. Each
domain should trust the other two. Shall I simply fill in the blanks in the
"Trusts" tab of the AD Domains and Trusts applet? Is any further action
2) What about DNS? I currently have forward and reverse lookup zones defined
on the DCs of the MyCompany.com domain. Presumably each of the other domains
will have its own DCs and therefore its own DNS. But when a guy in the Iraq
domain wants to access 'someComputer.NewYork.MyCompany.com', the Iraq DNS
won't know where to look... How do I tell the DNS servers in the
MyCompany.com domain, for example, how to resolve hostnames in the
Iraq.MyCompany.com domain? The DNS servers need to point to each other
somehow, but I'm not sure how to set it up.
3) When does the "AD Sites and Services" applet come into play? Do I need
it? My book says that I'll need it if a single domain spans a slow-link
WAN... but that's not what I'm doing here, correct? I actually have three
domains, each one of which is wholly contains on its own LAN.
4) Lastly, keep in mind that EACH of these three domains will be behind its
own ISA Server firewall. They will all have internal addresses (i.e.
192.168.x.x). Is it possible to configure ISA server as a VPN so that the
various domains domains can talk to each other via a PPTP tunnel of some
sort? I don't want to expose these domains directly to the internet, but yet
they need to communicate with one another through the firewall. What shall I
Thanks for reading this!
"To understand recursion, we must first understand recursion."