| Author | Messages | |
nocmonkey
Posts:0
 | | 08/30/2005 7:37 AM |
| Good day to you all,
Two companies that share the same IT staff, NOC, WAN connections (to
remote offices), DHCP services, LAN distribution, some DNS, firewall,
and an AD trust -- are very shortly separating in more ways than one.
I would appreciate any tips or suggestions on where to start planning
such spilt?
Thank you,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 08/30/2005 7:43 AM |
| Phil
On 8/30/05, Danny wrote:
Good day to you all,Two companies that share the same IT staff, NOC, WAN connections (toremote offices), DHCP services, LAN distribution, some DNS, firewall,
and an AD trust -- are very shortly separating in more ways than one.I would appreciate any tips or suggestions on where to start planningsuch spilt?Thank you,...DList info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000928
Posts:0
| | 08/30/2005 8:22 AM |
| Need... More... Info...
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 8/30/05, Danny wrote:
> Good day to you all,
>
> Two companies that share the same IT staff, NOC, WAN connections (to
> remote offices), DHCP services, LAN distribution, some DNS, firewall,
> and an AD trust -- are very shortly separating in more ways than one.
>
> I would appreciate any tips or suggestions on where to start planning
> such spilt?
>
> Thank you,
>
> ...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| nocmonkey
Posts:0
| | 08/30/2005 9:07 AM |
| On 8/30/05, Phil Renouf wrote:
> Hmm, interesting my gmail now looks like a word edited message. Funny...
Click Plan Text... instead of Rich Formatting. I thinks.
> Can you describe your AD environment a little more?
I am a couple of days into this environment, so don't laugh, but I am
pretty sure they are two separate forests with a trust between the
two.
Company A head office - approx 70 users:
Example client DHCP:
Hostname: A123WRKSTN.dom.example.org
IP: 10.10.10.125
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11
Company B head office - approx 100 users:
Hostname: B123WRKSTN.dom.contoso.org
IP: 10.10.10.212
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11
IE settings:
Company A: isa2000srv
Company B: proxy2.0srv
Outlook settings:
Company A: exchange2000.dom.example.org
Company B: exchange2000.dom.consoso.org
> You have two forests with a trust? Is it a Forest trust or an NT4 style trust?
External trust, non-transitive. How can I confirm this (whether or not
NT 4 style trust for example) besides looking in ADD&T?
> You say they share 'some' DNS, can you qualify that a bit better?
I will clarify this tomorrow.
> When you say they are going to split, how split are they going to get?
Still in discussion. In the least, layer one of the network will be
divided, the AD trust will need to be broken, DHCP and DNS separated.
> Will this be a physical split (ie: one company physically moving)? Or will it be
> more of a logical split with the two still continuing to share some infrastructure?
They are discussing two separate NOC's, because all the servers,
switches, firewalls, i.e. all network equipment is in the same NOC.
Right now all is calm, but one is suing (three week old news) the
other, so all hell could break lose.
Thank you!
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 08/30/2005 10:13 AM |
| What is it you need to accomplish then? If they're already separate,
what's to separate other than name resolution and DHCP/network services?
Can you get more clarifiction of the topology? Confirm it's two separate
forests and not two separate domains in the same forest (dijointed
namespace)?
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Danny
Sent: Tuesday, August 30, 2005 5:06 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Companies splitting - where to start with
Active Directory, DNS, DHCP, etc.
On 8/30/05, Phil Renouf wrote:
> Hmm, interesting my gmail now looks like a word edited message.
Funny...
Click Plan Text... instead of Rich Formatting. I thinks.
> Can you describe your AD environment a little more?
I am a couple of days into this environment, so don't laugh, but I am
pretty sure they are two separate forests with a trust between the two.
Company A head office - approx 70 users:
Example client DHCP:
Hostname: A123WRKSTN.dom.example.org
IP: 10.10.10.125
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11
Company B head office - approx 100 users:
Hostname: B123WRKSTN.dom.contoso.org
IP: 10.10.10.212
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11
IE settings:
Company A: isa2000srv
Company B: proxy2.0srv
Outlook settings:
Company A: exchange2000.dom.example.org
Company B: exchange2000.dom.consoso.org
> You have two forests with a trust? Is it a Forest trust or an NT4
style trust?
External trust, non-transitive. How can I confirm this (whether or not
NT 4 style trust for example) besides looking in ADD&T?
> You say they share 'some' DNS, can you qualify that a bit better?
I will clarify this tomorrow.
> When you say they are going to split, how split are they going to get?
Still in discussion. In the least, layer one of the network will be
divided, the AD trust will need to be broken, DHCP and DNS separated.
> Will this be a physical split (ie: one company physically moving)? Or
> will it be more of a logical split with the two still continuing to
share some infrastructure?
They are discussing two separate NOC's, because all the servers,
switches, firewalls, i.e. all network equipment is in the same NOC.
Right now all is calm, but one is suing (three week old news) the other,
so all hell could break lose.
Thank you!
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| nocmonkey
Posts:0
| | 08/31/2005 3:38 AM |
| On 8/30/05, Al Mulnick wrote:
> What is it you need to accomplish then? If they're already separate,
> what's to separate other than name resolution and DHCP/network services?
>From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know what it might break - I am new to
this specific environment, so I don't know what is currently relying
on the trust.
DHCP is shared, many AD sites are as well. Shared WAN and firewall,
as well as many frame relay connections to remote offices.
> Can you get more clarifiction of the topology? Confirm it's two separate
> forests and not two separate domains in the same forest (dijointed
> namespace)?
External trust, non-transitive. How can I confirm these are two
seperate forests - besides looking in ADD&T?
Thanks,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 08/31/2005 6:07 AM |
| portqry -n -e 389 | find "root"
Run that on both domains and compare.
If DHCP is shared, then the network is likely as well. My approach would be to start from the bottom of the stack, at the physical level and figure it out from there taking care to deal with each level at a time. For starters, you'll have to figure out how to modify the networks to separate them. That leads to the DHCP servers, DNS, Active Directory etc.
However, let's find out about the forest topology first. If they're the same, then your process might vary slightly from the above.
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Danny
Sent: Wed 8/31/2005 11:37 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/30/05, Al Mulnick wrote:
> What is it you need to accomplish then? If they're already separate,
> what's to separate other than name resolution and DHCP/network services?
>From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know what it might break - I am new to
this specific environment, so I don't know what is currently relying
on the trust.
DHCP is shared, many AD sites are as well. Shared WAN and firewall,
as well as many frame relay connections to remote offices.
> Can you get more clarifiction of the topology? Confirm it's two separate
> forests and not two separate domains in the same forest (dijointed
> namespace)?
External trust, non-transitive. How can I confirm these are two
seperate forests - besides looking in ADD&T?
Thanks,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| nocmonkey
Posts:0
| | 08/31/2005 7:52 AM |
| On 8/31/05, Al Mulnick wrote:
> Finding the root. I believe it was Dean who posted this a little while back.
> "... another thought, to determine your forest root in order to validate
> the dn you're supplying, the following single-line command line syntax
> will help -
>
> portqry -n -e 389 | find "root"
> Run that on both domains and compare.
portqry -n dc2 -e 389 | find "root"
rootDomainNamingContext: DC=Dom,DC=example,DC=org
portqry -n dc1 -e 389 | find "root
rootDomainNamingContext: DC=Dom,DC=contoso,DC=com
Safe to say - seperate forests?
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:429
| | 08/31/2005 9:42 AM |
| Yes.
Someone followed the MS book examples pretty explicitly. :o)
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Danny
Sent: Wednesday, August 31, 2005 3:52 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Companies splitting - where to start with Active
Directory, DNS, DHCP, etc.
On 8/31/05, Al Mulnick wrote:
> Finding the root. I believe it was Dean who posted this a little while
back.
> "... another thought, to determine your forest root in order to
> validate the dn you're supplying, the following single-line command
> line syntax will help -
>
> portqry -n -e 389 | find "root"
> Run that on both domains and compare.
portqry -n dc2 -e 389 | find "root"
rootDomainNamingContext: DC=Dom,DC=example,DC=org
portqry -n dc1 -e 389 | find "root
rootDomainNamingContext: DC=Dom,DC=contoso,DC=com
Safe to say - seperate forests?
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| nocmonkey
Posts:0
| | 09/01/2005 2:12 AM |
| On 8/31/05, joe wrote:
> Yes.
>
> Someone followed the MS book examples pretty explicitly. :o)
Can I simply break the AD trust and hope it does melt down? :)
Thanks,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 09/01/2005 2:23 AM |
| My first step would be to do an inventory of all the applications and determine how they are authenticating (if they are) to see what the impact would be. I would also look at splitting the DNS before breaking the trust because what good is separate forests (and no trust) if you are still sharing the same DNS infrastructure?
Also, out of curiosity, both your domains are dom.something.***? What are the NetBIOS names?
Phil
On 9/1/05, Danny wrote:
On 8/31/05, joe wrote:> Yes.
>> Someone followed the MS book examples pretty explicitly. :o)Can I simply break the AD trust and hope it does melt down? :)Thanks,...DList info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/01/2005 2:40 AM |
| Depends. How good/how current is your cv?
Like I said before, you really need to understand the environment to make these kinds of calls. Did you find out if they're two forests or one?
Joe mentioned to me that you could use ADFIND to do this.
adfind -h dc -b -s base |grep root would give you the information you needed. A lot depends on knowing that information.
Once you know that, I think Phil posted something about an inventory or some such. He's absolutely right and that's why I suggested following the OSI stack from the bottom up to figure out what you have and what your options are.
I'm dying to know about the forest or multiple forest answer :)
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Danny
Sent: Thursday, September 01, 2005 10:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/31/05, joe wrote:
> Yes.
>
> Someone followed the MS book examples pretty explicitly. :o)
Can I simply break the AD trust and hope it does melt down? :)
Thanks,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000124
Posts:0
| | 09/02/2005 8:46 AM |
| I'm facing a similar situation: single forest, single domain though. (Thank goodness!)
I think the place to start is really outside AD: who owns all these resources you're keeping in AD? What do they intend to do with them? When does the split happen? And how? Big bang or slow death?? Is email integrated into your forests? Sites going where? IP space?
It's a daunting task to get it all sorted out. If you have the overall company plan, knowing what to do with AD can be much easier.
AL
Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
----------------------------------------------
"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Thursday, September 01, 2005 8:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
Depends. How good/how current is your cv?
Like I said before, you really need to understand the environment to make these kinds of calls. Did you find out if they're two forests or one?
Joe mentioned to me that you could use ADFIND to do this.
adfind -h dc -b -s base |grep root would give you the information you needed. A lot depends on knowing that information.
Once you know that, I think Phil posted something about an inventory or some such. He's absolutely right and that's why I suggested following the OSI stack from the bottom up to figure out what you have and what your options are.
I'm dying to know about the forest or multiple forest answer :)
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Danny
Sent: Thursday, September 01, 2005 10:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/31/05, joe wrote:
> Yes.
>
> Someone followed the MS book examples pretty explicitly. :o)
Can I simply break the AD trust and hope it does melt down? :)
Thanks,
...D
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 09/02/2005 10:10 AM |
| Phil
On 9/2/05, al_maurer@xxxxxxxxxxx wrote:
I'm facing a similar situation: single forest, single domain though. (Thank goodness!)I think the place to start is really outside AD: who owns all these resources you're keeping in AD? What do they intend to do with them? When does the split happen? And how? Big bang or slow death?? Is email integrated into your forests? Sites going where? IP space?
It's a daunting task to get it all sorted out. If you have the overall company plan, knowing what to do with AD can be much easier.ALAl MaurerService Manager, Naming and Authentication Services
IT | Information TechnologyAgilent Technologies(719) 590-2639; Telnet 590-2639http://activedirectory.it.agilent.com----------------------------------------------
"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i.-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al MulnickSent: Thursday, September 01, 2005 8:42 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.Depends. How good/how current is your cv?Like I said before, you really need to understand the environment to make these kinds of calls. Did you find out if they're two forests or one?
Joe mentioned to me that you could use ADFIND to do this.adfind -h dc -b -s base |grep root would give you the information you needed. A lot depends on knowing that information.Once you know that, I think Phil posted something about an inventory or some such. He's absolutely right and that's why I suggested following the OSI stack from the bottom up to figure out what you have and what your options are.
I'm dying to know about the forest or multiple forest answer :)-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of DannySent: Thursday, September 01, 2005 10:11 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
On 8/31/05, joe wrote:> Yes.>> Someone followed the MS book examples pretty explicitly. :o)Can I simply break the AD trust and hope it does melt down? :)
Thanks,...DList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|