Win2000 'trees' vs 'domains' vs. 'sites'

Win2000 'trees' vs 'domains' vs. 'sites'

Post by Fred Sanfor » Sat, 02 Jun 2001 07:10:45



Hello.

I'm trying to gain an understanding of trees, domains, and sites. Consider
this:

I have a 20-computer domain called MyCompany.com and everything is running
smoothly. The domain has 2 domain controllers, each one of which runs DNS.
Now my company wants to open branch offices in Iraq and NewYork. So my plan
is to create two more domains. When done, I will then have these three
domains:

    MyCompany.com
    Iraq.MyCompany.com
    NewYork.MyCompany.com

Now here's where I get confused... According to the definition of "tree" (in
my W2K reference manual), all three of these domains are part of the same
tree. But what are the implications of 3 domains sharing the same "tree"
other than the fact that they have the same namespace (MyCompany.com)? It
appears what we have here in reality is just three separate domains. The
domains don't really know anything about each other. I want to change that.
So that leads me to some questions?

1) Since users in any of the three domains will frequently access resources
on either of the *other* two domains, a "trust" needs to be set up. Each
domain should trust the other two. Shall I simply fill in the blanks in the
"Trusts" tab of the AD Domains and Trusts applet? Is any further action
required?

2) What about DNS? I currently have forward and reverse lookup zones defined
on the DCs of the MyCompany.com domain. Presumably each of the other domains
will have its own DCs and therefore its own DNS. But when a guy in the Iraq
domain wants to access 'someComputer.NewYork.MyCompany.com', the Iraq DNS
won't know where to look... How do I tell the DNS servers in the
MyCompany.com domain, for example, how to resolve hostnames in the
Iraq.MyCompany.com domain? The DNS servers need to point to each other
somehow, but I'm not sure how to set it up.

3) When does the "AD Sites and Services" applet come into play? Do I need
it? My book says that I'll need it if a single domain spans a slow-link
WAN... but that's not what I'm doing here, correct? I actually have three
domains, each one of which is wholly contains on its own LAN.

4) Lastly, keep in mind that EACH of these three domains will be behind its
own ISA Server firewall. They will all have internal addresses (i.e.
192.168.x.x). Is it possible to configure ISA server as a VPN so that the
various domains domains can talk to each other via a PPTP tunnel of some
sort? I don't want to expose these domains directly to the internet, but yet
they need to communicate with one another through the firewall. What shall I
do?

    Thanks for reading this!

--
Fred Sanford

"To understand recursion, we must first understand recursion."

 
 
 

Win2000 'trees' vs 'domains' vs. 'sites'

Post by Dave Goshe » Sat, 02 Jun 2001 07:32:40


First off, I'd suggest reading up on Active Directory, Domains, Trees and
Forests.  But on to your questions.
1)  An implicit trust is established for all domains within a tree.  A
trusts b, a trusts c, so b trusts c.  No other trusts need to be established
as all domains will share the same global catalog.

2) DNS is extremely important with AD.  You don't say whether you have an AD
integrated DNS or if it's a Standard Primary.  Assuming it's an AD
integrated, you would create zones and continue to make your DCs at your
other sites AD integrated also.  If it's a standard primary, you have a
choice of a standard secondary or a caching only DNS setup.  (not enough
info)

3)You definitely need sites and services.  Your domains must talk to each
other to share the schema and global catalog.  You will identify bridgehead
servers to replicate at different schedules, etc...

4) Yes this can be accomplished through scheduled VPN (PPTP) links across
the internet and it can be secured through IPSec.

I wish you luck and good studying.

Dave Goshen


Quote:> Hello.

> I'm trying to gain an understanding of trees, domains, and sites. Consider
> this:

> I have a 20-computer domain called MyCompany.com and everything is running
> smoothly. The domain has 2 domain controllers, each one of which runs DNS.
> Now my company wants to open branch offices in Iraq and NewYork. So my
plan
> is to create two more domains. When done, I will then have these three
> domains:

>     MyCompany.com
>     Iraq.MyCompany.com
>     NewYork.MyCompany.com

> Now here's where I get confused... According to the definition of "tree"
(in
> my W2K reference manual), all three of these domains are part of the same
> tree. But what are the implications of 3 domains sharing the same "tree"
> other than the fact that they have the same namespace (MyCompany.com)? It
> appears what we have here in reality is just three separate domains. The
> domains don't really know anything about each other. I want to change
that.
> So that leads me to some questions?

> 1) Since users in any of the three domains will frequently access
resources
> on either of the *other* two domains, a "trust" needs to be set up. Each
> domain should trust the other two. Shall I simply fill in the blanks in
the
> "Trusts" tab of the AD Domains and Trusts applet? Is any further action
> required?

> 2) What about DNS? I currently have forward and reverse lookup zones
defined
> on the DCs of the MyCompany.com domain. Presumably each of the other
domains
> will have its own DCs and therefore its own DNS. But when a guy in the
Iraq
> domain wants to access 'someComputer.NewYork.MyCompany.com', the Iraq DNS
> won't know where to look... How do I tell the DNS servers in the
> MyCompany.com domain, for example, how to resolve hostnames in the
> Iraq.MyCompany.com domain? The DNS servers need to point to each other
> somehow, but I'm not sure how to set it up.

> 3) When does the "AD Sites and Services" applet come into play? Do I need
> it? My book says that I'll need it if a single domain spans a slow-link
> WAN... but that's not what I'm doing here, correct? I actually have three
> domains, each one of which is wholly contains on its own LAN.

> 4) Lastly, keep in mind that EACH of these three domains will be behind
its
> own ISA Server firewall. They will all have internal addresses (i.e.
> 192.168.x.x). Is it possible to configure ISA server as a VPN so that the
> various domains domains can talk to each other via a PPTP tunnel of some
> sort? I don't want to expose these domains directly to the internet, but
yet
> they need to communicate with one another through the firewall. What shall
I
> do?

>     Thanks for reading this!

> --
> Fred Sanford

> "To understand recursion, we must first understand recursion."


 
 
 

Win2000 'trees' vs 'domains' vs. 'sites'

Post by Nimbu » Sat, 02 Jun 2001 08:27:24


In addition to Dave's response, there are also security implications, such as
Enterprise Admins and Universal Groups.

> Hello.

> I'm trying to gain an understanding of trees, domains, and sites. Consider
> this:

> I have a 20-computer domain called MyCompany.com and everything is running
> smoothly. The domain has 2 domain controllers, each one of which runs DNS.
> Now my company wants to open branch offices in Iraq and NewYork. So my plan
> is to create two more domains. When done, I will then have these three
> domains:

>     MyCompany.com
>     Iraq.MyCompany.com
>     NewYork.MyCompany.com

> Now here's where I get confused... According to the definition of "tree" (in
> my W2K reference manual), all three of these domains are part of the same
> tree. But what are the implications of 3 domains sharing the same "tree"
> other than the fact that they have the same namespace (MyCompany.com)? It
> appears what we have here in reality is just three separate domains. The
> domains don't really know anything about each other. I want to change that.
> So that leads me to some questions?

> 1) Since users in any of the three domains will frequently access resources
> on either of the *other* two domains, a "trust" needs to be set up. Each
> domain should trust the other two. Shall I simply fill in the blanks in the
> "Trusts" tab of the AD Domains and Trusts applet? Is any further action
> required?

> 2) What about DNS? I currently have forward and reverse lookup zones defined
> on the DCs of the MyCompany.com domain. Presumably each of the other domains
> will have its own DCs and therefore its own DNS. But when a guy in the Iraq
> domain wants to access 'someComputer.NewYork.MyCompany.com', the Iraq DNS
> won't know where to look... How do I tell the DNS servers in the
> MyCompany.com domain, for example, how to resolve hostnames in the
> Iraq.MyCompany.com domain? The DNS servers need to point to each other
> somehow, but I'm not sure how to set it up.

> 3) When does the "AD Sites and Services" applet come into play? Do I need
> it? My book says that I'll need it if a single domain spans a slow-link
> WAN... but that's not what I'm doing here, correct? I actually have three
> domains, each one of which is wholly contains on its own LAN.

> 4) Lastly, keep in mind that EACH of these three domains will be behind its
> own ISA Server firewall. They will all have internal addresses (i.e.
> 192.168.x.x). Is it possible to configure ISA server as a VPN so that the
> various domains domains can talk to each other via a PPTP tunnel of some
> sort? I don't want to expose these domains directly to the internet, but yet
> they need to communicate with one another through the firewall. What shall I
> do?

>     Thanks for reading this!

> --
> Fred Sanford

> "To understand recursion, we must first understand recursion."

 
 
 

Win2000 'trees' vs 'domains' vs. 'sites'

Post by Fred Sanfor » Wed, 06 Jun 2001 04:01:50


Quote:> 2) DNS is extremely important with AD.  You don't say whether you have an
AD
> integrated DNS or if it's a Standard Primary.  Assuming it's an AD
> integrated, you would create zones and continue to make your DCs at your
> other sites AD integrated also.  If it's a standard primary, you have a
> choice of a standard secondary or a caching only DNS setup.  (not enough
> info)

    Ah, I see... This might answer my other question entitled "simple DNS
Question"

    Yes, every zone is AD integrated. I guess my main issue is: How does
Active Directory know to exchange this information with the other domains?
How does it know about the other domain controllers? I've been trying to
figure this out from the online help, but it looks like I really need a good
book. It appears that if the domains are on the same subnet, AD somehow
"finds" the other domains and starts exchanging information. But if the
domains are in different locations, I need AD Sites and Services so that AD
will know how to find controllers of other domains. Is this even close to
being correct? :)

    Thanks

 
 
 

Win2000 'trees' vs 'domains' vs. 'sites'

Post by Nimbu » Wed, 06 Jun 2001 08:28:03


You might try reading through the freely available material from MS's online
Technet site.  The following link would be a good starting place.

http://www.microsoft.com/technet/win2000/win2ksrv/reskit/tcpch06.asp


> > 2) DNS is extremely important with AD.  You don't say whether you have an
> AD
> > integrated DNS or if it's a Standard Primary.  Assuming it's an AD
> > integrated, you would create zones and continue to make your DCs at your
> > other sites AD integrated also.  If it's a standard primary, you have a
> > choice of a standard secondary or a caching only DNS setup.  (not enough
> > info)

>     Ah, I see... This might answer my other question entitled "simple DNS
> Question"

>     Yes, every zone is AD integrated. I guess my main issue is: How does
> Active Directory know to exchange this information with the other domains?
> How does it know about the other domain controllers? I've been trying to
> figure this out from the online help, but it looks like I really need a good
> book. It appears that if the domains are on the same subnet, AD somehow
> "finds" the other domains and starts exchanging information. But if the
> domains are in different locations, I need AD Sites and Services so that AD
> will know how to find controllers of other domains. Is this even close to
> being correct? :)

>     Thanks