Single domain concepts
Hi....
have question...my company have a main office and several branch offices...at present each location have individual domains and no trust relations between each other...now all are operating independently...I m planing to consolidate branch office DC to head
office..I know about two way trust concepts...but the the another approach I am looking in to is the OU level domain hierarchy to simplify the process...I mean keep main office domain as a main domain and add other branch offices as OUs under the main domain...then
restrict the permission and admin rights to each location`s system admin.. As its 2012 domain i think we can apply group policies on OU level which applied to those particular branch office users...also users from one branch can use their log in ID in all
locations.....is this single domain approach is industry slandered..?..also is there any possible challenges on this concept ..? compared to the traditional forest concept of multiple domains?? Looking for your expert advice.
what my idea is
There is no "industry standard" design: the logical structure design depends on the needs and requirements that exists in your organization. Based on description of your environment, using single domain with OU-structure for delegation of
administration to regional staff, as well as, for scoping of group policy, is a "by the book" solution, that matches your needs quite well. Take a look at
AD DS Design Guide - it describes guidelines for designing Active Directory infrastructure. Web version of deign guide is also available on
TechNet.
Gleb.
Similar Messages
-
How many ADFS farms can you have in a single forest/single domain?
Hi
I may have some terminology incorrect...please let me know if I do. :)
My question is, how many ADFS farms can you have in a single forest/single domain? If you want to know why I am asking...please read on.
We have 1 ADFS Farm and we are looking adding services to it. However not every cloud vendor provides a "Identity Broker" with there services.
We have a consultant that is advising that we need to enable a SAML-based IdP-initiated single sign-on (SSO) ie using "IdpInitiatedSignOnPage"
However to do this we need to modify the ADFS website to have "drop down" list so the user can select the "Relying Party" and then authentication with them.
This means we are exposing a list of every company/party we have federated with. The exposure of this information, is deemed a security concern by our company....which I agree with.
So the consultant advises that we need a separate ADFS farm. I have searched online, but haven't found any information that confirms multiple ADFS farms can be implemented in a single forest/single domain.
Thanks for reading and if you have any other suggestions...I'd appreciate it.
NyobiThis is not exactly FIM related question - there is ADFS forum available on Technet. However - technically there is no limit of ADFS farms in a forest \ domain. It is just a service which uses AD and is not altering it in any way or storing some forest-wide
information like Exchange. So you can setup two ADFS services in single forest - no problem.
If it is a best solution to your problem? I can't say with that limited information but maybe just customization of pages on ADFS side would be enough?
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl -
Implementing Sites for a new Single Domain Environment and effects on Exchange
Copied from the Active Directory forums as the suggestion of replies.
I didn't find exactly what I was looking for so decided to create my own question to get some direct feedback.
Currently we have a single domain environment with two domain controllers located at two separate sites. When the domain was first set up, no configuration was done in the Sites and Services module for Active Directory. The two domain controllers we have are
currently located in the Default-First-Site-Name container. We do not have any subnets configured with the Sites and Services module.
These two domain controllers are located at two different sites with different IP schemes and the sites are connected with a high speed site-to-site VPN. We also have 2 satellite offices with their own IP schemes as well with more offices to come. In the future
domain controllers will be placed at these satellite offices which are connected with a slower site-to-site VPN to the main offices.
All replication and network functions are working well now, but I would like to know what the effects would be and what to watch out for if I create sites for our environment. I am particularly concerned about our Exchange 2010 server and need to make sure
that the change will not disrupt communications between it and the domain controllers.
I would like to create a site for each of our locations and link the subnet to that site now so that when we install the domain controllers the configuration is ready.
Any suggestions or input is highly appreciated thank you in advance.Exchange will be an issue only if your Exchange servers span sites when your new Windows sites are created. If you have Exchange servers all in a single location, adding sites to your Windows forest will cause no issues. However, if you have
Exchange servers in both locations, as soon as a new site is defined for an Exchange server in a separate location from your other Exchange servers, you will start having issues. Let me give some examples so you can see what problems might occur:
Two datacenters, one Windows site, Exchange mailbox servers in both locations (primary and DR), but hub and CAS roles only in the primary datacenter:
In this situation, as soon as your second site is defined, the server in the DR datacenter will no longer be receiving mail - there is no hub to deliver it - and users will no longer be able to access their mailboxes - there is no CAS to support them.
Solution: Add hub and CAS to second datacenter and all is well with the world.
Two datacenters, one Windows site, Exchange multirole servers in both locations (primary and DR), but CAS Array defined:
Now we have a little bit better setup, since we have all roles in both locations. However, the CAS array in the primary site isn't going to be able to support your client connections in the DR site - so users will be connecting directly to the CAS
servers in the DR site (not optimum). Solution: Define a second CAS array for the DR site, with its own load balancer and configure the databases in your DR location to use that CAS array as the RPC Client Access Server.
There are other oddities, but as you can see, there will definitely be issues if your Exchange servers aren't all in the same location and you start defining Windows sites ... -
same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
How this is technically different?
If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
dhomyaIf the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing accounts,
groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
I think that is a pretty big difference.
In fact, it is bad practice to perform you daily server management with an AD privileged account.
In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
privileges. Always be carefull when assuming resulting privileges will be the same.
MCP/MCSA/MCTS/MCITP -
Guidelines on whether we should go for 'domain concept' in SAP BI
Hi,
Can anyone share the guidelines/best practices on whether one should go for domain concept in BI implmenetation or not? Ours will be a consolidated global sales warehouse and we do not experience that many data load failures. What are the advantages one gets if one uses domain? When should domain not be deemed necessary?
Thanks and regards,
RCould you please elaborate what you mean by domain concept?
-
Multiple S650s in single domain
I just recently purchased two S650s for my organization assuming that it could be configured like our C150s (clustered). Now that I actually hooked up the second device I found my assumption to be wrong. What is the best way to configure them for load balancing with a single domain using a single Cisco Router with transparent redirection. I already configured them both almost identically and they appear to be load-sharing the client traffic. I just wanted to verify there isn't a better way.
Thanks for the reply.
I have the devices configured for client-based load-balancing. Everything appears to be working. I also notice on my daily reports that the devices have a evenly distributed number of clients attached to each device. I think this load-balancing and fail-over option will meet our needs better than just a fail-over cluster configuration. Being that my organization is small, my cpu load on each device is extremely small. I was just wondering what the refresh time is as far as client connections? Will I get a daily report for each device that contains all clients or will the report look like it does now in the morning with just a split group of clients on each device? -
Multiple Sites - Single domain - Server 2008r2
Hi,
I have six (6) sites all connected to a Head Office site by a high speed VPN. Currently all use different domain names on their local servers but with new hardware coming i would like to have all sites share the one single domain name for simplicity.
Head Office has two (2) AD Servers configured handling DNS, DHCP (split scope) etc, both are GC's for redundancy.
For the branches i was considering setting these up as Secondary AD servers with the Head Office domain and as GC's too. Each branch server will have their own DHCP scope for their networks and DNS forwarded to Head Office AD servers. Each branch server
will also be used for file and printer sharing.
I need to make sure local users to the branch servers authenticate on their own AD server and not hit Head Office which would slow down the process a little.
Is the above the correct way to do this?
Cheers.Sounds like you want to configure a Hub and Spoke model, with the Spokes being the branch offices. This is a good topology. By default when a branch office is configured the DC for that spoke (Defined by the subnets in that physical site) the
dcLocator process on each client will default to the local DC unless there are problems that force the client to reach out. As far as forwarding there is no such thing from a DC perspective but there is from a DNS perspective.
So after you build out your new domain just make sure you follow the best practice for Sites and Serviecs and you should be good to go.
http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx
dcLocator process
http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights. -
Multiple EAR files in one single domain ?
can i deploy multiple EAR files in single domain
thanks,
KMI'm not sure what a "domain" is in this context. I suppose it depends on the J2EE server you're using. Weblogic has something called a "domain", and sure in that server you can deploy multiple EARs in one domain, and there can be multiple domains.
-
BEA-090513 "ServerIdentity failed validation" on single domain single server
Hi!
I'm getting loads of
<Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading
to anonymous.>
errors though I'm running a single server in a single domain - so the information
in
http://e-docs.bea.com/wls/docs81/messages/Security.html
isn't very helpful. What can I do to remove this problem?
Thanks so much,
Hans-Peter StoerrHi I get the similar error
<Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
<Sep 12, 2007 4:04:51 PM CDT> <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security>sb1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Defau
lt (self-tuning)'> <<WLS Kernel>> <> <> <1189626452736> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security> > <sb1> <ExecuteThread: '8' for queue: 'weblogic.socket.Muxer'> <<WLS
Kernel>> <> <> <1189626452759> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security> < <sb1> <ExecuteThread: '8' for queue: 'weblogic.socket.Muxer'> <<WLS
Kernel>> <> <> <1189626452760> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
I tried the bea method to change the credentials that the domain is interacting with (trust certificate) but no help.The errors keep coming still.
iN order to rule out some possiblity i shutdown the other domain completley and i could still see same errors in my managed server logs.i would really appreciate anyones tips to fix this issue. -
Multiple SOA clusters within a Single Domain
Hi All,
We're looking at a scenario where there would be multiple SOA clusters within a single domain. Would that be possible to do? I mean I can create multiple SOA clusters but it seems that applications deployed to one of the 2 SOA clusters seem to go into an inconsistent state. Please advise. Thank you.This is just because all SOA servers in a domain will refer to one(same) SOAINFRA schema for SOA deployments info and hence belong to same logical group (cluster) and that's the reason why you cann't even have two separate SOA managed servers without a cluster.
Regards,
Anuj -
NLB for Two FIM Service and portal servers in single domain
Hi,
I am currently working in a FIM Project in which i need to install two FIM service and Portal Servers in single Domain.
Customer wants to open the FIM Portal with common URL of both the Servers.
I have only knowledge that we need to do NLB between IIS of both the servers. anyone can provide help that how can we achieve this.
Any help would be really appriciated.
Thanks,Actually - just configure NLB and make sure that your Sharpoint site collection handles access mapping for this common name. Best would be to create it with this name as a site name from the start.
Same for service - configure all nodes to use same service name and configure NLB.
Here is some blog post which should help on details:
http://blogs.msdn.com/b/agileer/archive/2011/06/28/setting-up-an-nlb-cluster-for-a-fim-portal-web-service.aspx
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl -
ChaRM config with Single domain
Hi Guru's,
I am in situation where I have to configure Change request Management with Single Domain Controller in Solution Manager 7.1 SP11.
I have configured transport routes in ECC development system (000) to Integration , quality and production and now I want to add this configuration to Solution manager without domain link.
please help me on this greatly appreciated
thanksHi Srini,
Check the below note for active ChaRM with out domain link
1384598 - Harmonizing RFC communication infrastructure in ChaRM/QGM
1756014 - Harmonizing RFC communication infrastructure for ChaRM Check
Rg,
Karthik -
Can we map three BPC users with single domain user
Hi..
When we map the three BPC users in the ABAP server in the program UJA3_WRITE_SYS_USERS with domain user,can we map with only one domain user for all three BPC users or we have to use three different domain users to map the three BPC users?
Please do reply
Thanks
Bobbyyep
u can map three bpc user with single domain user.
but domain user must have management roles. -
Help Setup KMS on single domain and active for multiple domain another
Hi all,
I have a problem about configure DNS for KMS host. My company use a single domain "abc.com". But I must mange more than 10 company different and they use another domain and dns running independently, they have a one lease line connect them together.
My challenge is how to active all client on more than 10 company. Any ideas is very appreciate.
Please help.
Thanks,That's a good article suggested by Meinolf, but it's a little outdated.
For an updated guide for this:
https://technet.microsoft.com/en-us/library/ff793409.aspx
Publishing to Multiple DNS Domains
By default, the KMS host is registered only in the DNS domain to which the host belongs. If the network environment has only one DNS domain, no further action is required.
If there is more than one DNS domain name, you can create a list of DNS domains for a KMS host to use when publishing its SRV RR. Setting this registry value suspends the KMS host’s default behavior of publishing only in the domain specified as the Primary
DNS Suffix.
Optionally, add priority and weight parameters to the
DnsDomainPublishList registry value for KMS. This feature enables you to establish KMS host priority groupings and weighting within each group to define which KMS host to try first and balance traffic among multiple KMS hosts.
Note DNS changes might not be reflected until all DNS servers have been replicated. Changes made too frequently (time < replication time) can leave older records if the change is performed on a server that has not been
replicated.
To automatically publish KMS in multiple DNS domains, add each DNS domain suffix to whichever KMS should publish to the multi-string registry value
DnsDomainPublishList in registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform. After changing the value , restart the Software Licensing Service to create the SRV RRs.
Note This key has changed from the Windows Vista location of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.
After configuring a KMS host to publish to multiple domains, export the registry subkey, and then import it in to the registry on additional KMS hosts. To verify that this procedure was successful, check the Application event log on each KMS host. Event
ID 12294 indicates that the KMS host successfully created the SRV RRs. Event ID 12293 indicates that the attempt to create the SRV RRs was unsuccessful. For a complete list of error codes, see the
Volume Activation 2.0 Operations Guide at
http://technet.microsoft.com/en-us/library/cc303695.aspx.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Recommended DNS zone replication scope for single domain environment
Hi, in my company we have domain/forest functional level Windows Server 2008 R2 - there is only one domain. AD DS is installed on 5 servers -
AD integrated DNS zone is used.
I noticed today that on both forward lookup DNS zones, _msdcs.internaldomain.com
& internaldomain.com, zone replication scope was set to
All DNS servers in this domain and also for one reverse lookup zone. I changed this setting for all these zones to
All domain controllers in this domain but later (10-15 mins at most) I reverted these settings back to
All DNS servers in this domain.
Which zone replication scope for mentioned zones is recommended keeping in mind this is single domain environment? Also could I do any harm to DNS and AD in all when I changed zone replication scope and later reverting it back for these zones? How to check
that dns related informations (zones) are located where they should be in Active Directory and that there is no any garbage in other locations (partitions) in AD database.Hi,
All DNS servers in this domain : Replicates zone data to all Windows Server 2003 and Windows Server 2008 domain controllers running the DNS Server service in the Active Directory domain. This option replicates zone data
to the DomainDNSZone partition. It is the default setting for DNS zone replication in Windows Server 2003 and Windows Server 2008.
http://technet.microsoft.com/en-us/library/cc772101.aspx
Hope this helps.
Regards.
If you have any feedback on our support, please click
here
Vivian Wang
Maybe you are looking for
-
I have Adobe Photoshop elements 3.0 I am having installation problems, I am running Windows 7
I am unable to install Photoshop elements 3.0, I am running Windows 7. The error is that this program in incompatable with Windows 7. Is there a fix or download for this?
-
M90Z display not recognized after cover removal
Hard drive failed. Replaced with new SSHD 1tb drive. Cover not yet replaced (very difficult to accomplish). When computer is turned on to reboot, a message appears: "No signal input. please checkcable connection and / or whether you are in monitor
-
Why is the print output including spaces between every letter?
All printed output has spaces between each letter. Example: A l l p r i n t e d o u t p u t h a s s p a c e s b e t w e e n e a c h l e t t e r .
-
Odd results from ADG608 multiplexer
Hi dear enthusiasts, I am trying to use the following circuit (in the attachments) to switch between multiple resistors using a multiplexer. Initially I had different values of resistors attached to every channel, but since I was getting very strange
-
To get top-of-page in alv list
How get top-of-page using reuse_alv_list_display ? How to get checkbox into that top-of-page ? And how to access that checkbox whether it is checked or not ? And if checked to get into next step of program promptly ?