| Author | Messages | |
bdesmond
Posts:716
 | | 07/03/2009 2:39 AM |
| Yeah that design makes no sense to me given what I imagine your environment looks like (having spent a lot of time in K-12).
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 7:20 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
I had a hard time describing what the consultant did. The domain design looks like this:
|Administrative Root domain
|High school domain
|Middle school domain
|Elementary school domain
As opposed to a Parent Administraive Root domain with the other domains being branches of the root domain in a "tree". By forest domain design I mean just how the domains are arranged visually in the forest. The consultant's design does not have child or branch domains at least not visually.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, July 02, 2009 2:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
That was my first thought too, but the fact that he says "forest domain design" seems to imply that he sees a distinction. Of course, we could just wait til the OP relies.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication confusion
Didn't Dave mean separate forests by "All of the domains are flat rather than parent child hierarchical. The explanation for this was better security." ?
On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
Agree with Brian.
Security boundary is the forest not the domain.
Thanks
Paul
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
Said explanation is 100% wrong.
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
Have a domain controller for every domain you want authentication to be available for in the locations you want it available.
Alternately, get collapse the six domains down to one, you likely don't really need six domains.
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?
| | | |
|
|