New domain (child or new forest)?

We have a single active directory domain (internal.com). We need to setup a 
second domain that will be accessed from the outside for non-employee users 
(external.com). If we do not want the external.com domain to have any access 
to the internal.com domain, shouldn't we create a "Domain in a new forest?" 

Creating a "Child domain in an existing domain tree," or a "Domain tree in 
an existing forest" will allow a two way trust between the root domain and 
the child domain correct?
0
Utf
12/4/2009 3:06:01 PM
windows.server.active_director 902 articles. 0 followers. Follow

2 Replies
1102 Views

Similar Articles

[PageSpeed] 55

Howdie!

jktat schrieb:
> We have a single active directory domain (internal.com). We need to setup a 
> second domain that will be accessed from the outside for non-employee users 
> (external.com). If we do not want the external.com domain to have any access 
> to the internal.com domain, shouldn't we create a "Domain in a new forest?" 
> 
> Creating a "Child domain in an existing domain tree," or a "Domain tree in 
> an existing forest" will allow a two way trust between the root domain and 
> the child domain correct?

Yeah, you should create a new forest for this. The security boundary is 
the forest, not the domain.

What type of access do they need, then? Why would you need to 
authenticate them? What services do they access?

Cheers,
Florian
-- 
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your 
lab.
0
Florian
12/4/2009 6:51:57 PM
Not sure how this works yet, but we have a medical system that will 
automatically add users to this new domain(forest) so that they can access 
their medical info and billing online. Thanks for your reply.

"Florian Frommherz [MVP]" wrote:

> Howdie!
> 
> jktat schrieb:
> > We have a single active directory domain (internal.com). We need to setup a 
> > second domain that will be accessed from the outside for non-employee users 
> > (external.com). If we do not want the external.com domain to have any access 
> > to the internal.com domain, shouldn't we create a "Domain in a new forest?" 
> > 
> > Creating a "Child domain in an existing domain tree," or a "Domain tree in 
> > an existing forest" will allow a two way trust between the root domain and 
> > the child domain correct?
> 
> Yeah, you should create a new forest for this. The security boundary is 
> the forest, not the domain.
> 
> What type of access do they need, then? Why would you need to 
> authenticate them? What services do they access?
> 
> Cheers,
> Florian
> -- 
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> ANY advice you get on the Newsgroups should be tested thoroughly in your 
> lab.
> .
> 
0
Utf
12/4/2009 8:07:01 PM
Reply:

Similar Artilces:

create list of all DLs in a domain and its members report
Hello, I need some help to create list of all DLs in a domain and its members report. 2. And the same need to be created into other domain Thanks, I wrote a basic script ages ago to do that: http://hellomate.typepad.com/exchange/2003/08/dumping_group_m.html It needs a bit of updating I think, but should work for what you want. -- Neil Hobson Exchange MVP http://www.msexchange.org/Neil_Hobson/ http://www.msexchangeblog.com "Nag" <venu.nag@gmail.com> wrote in message news:1162896101.393868.149920@m7g2000cwm.googlegroups.com... > Hello, > I need some help to crea...

Some question about Application Domain
Hi! This is some text from book professional C# 2005. "Application domain are an extremely useful construct if assemblies are loaded dynamically, and the requirement exists to unload assemblies after use. Within the primary application domain it is not possible to get rid of loaded assemblies. However, it is possible to end application domain where all assemblies loaded just within the application domain are cleaned from the memory." The text say in one part "Within the primary application domain it is not possible to get rid of loaded assemblies" but I mean i...

Can not set mail forward option to a new domain
I am gradually migrating users to a new domain and want to set the forward option on the original domain. I have already created a trust relationship between the two domains. From Active Directory Users and Computers I go to the properties page of the user and Choose the "Exchange General" tab then "Delivery Options..." When I try to set the forward address to an account on the new domain I get the following error... Microsoft Active Directory - Exchange Extension A constraint violation occurred. Facility: LDAP Provider ID no: 8007202f Microsoft Active Directory - Exch...

New Account #3
I'm trying Money2007 Essentials. After Money downloads my banks info and transactions I have an adjusted balance of over $2,000. The Bank balance and transactions appear OK. Can I tell Money to download transactions from/to a certain date?? Is there a good way to set up a new account for online banking so I won't see any adjustments?? James Check your opening balance. That might be where the need adjustment is coming from. Usually the starting balance is Zero. "JamesJ" <jjy@Darwin_adelphia.net> wrote in message news:%239%23BKRyaHHA.3272@TK2MSFTNGP03.phx.gbl... &...

CRM and Exchange in different domains
Is there a way for a CRM 3.0 server to intergrate with an Exchange server in another domain? ...

AD Domain migration & Exchange
Scenario: W2k3 AD Domain in SD with one child domain W2k AD Domain in HI, no children, but have their own exchange server What are the implications for exchange after moving the HI domain under SD? Existing: SD-w2k3 HI-W2k SD-W2k3 Child Future SD-W2k3 SD-W2k3 Child HI-W2k -- DLove Are we talking separate forests here? If so you will need to consolidate your Exchang orgs as there is only one org per Forest. Nue "dlove106" <dlove106@yahoo.com.donotspam> wrote in message news:DABAAA5D-171E-4C1C-87BB-2CE4673A1B2F@microsoft.co...

New workbook not opening in new window
One of my co-workers opens Microsoft Excel, then selects one of her most recent documents from the list, and it opens. Then, she selects another document from the list, but it opens in the same instance of Excel. She said this just started happening. On my Excel, it opens two separate instances in the taskbar at the bottom of the screen, complete with the name of each file. On her's, it just says "Microsoft Excel," and she has to minimize one book to open another. And it's Windows 2000, so it's not a problem with XP grouping. Have her go to Tools > Options >...

Adding lots of new products quickly
At the moment adding simple products (name, alias and price) is quite slow as each bit of information is in a different tab. Is there any way that I can add products in a spreadsheet, worksheet or excel/text file mode? All I'd like is a name, lookup, and price columns. This would make adding new products 10 times faster and easier. Cheers Contact your RMS Partner and ask for the QSImport tool. If they don't know what you are talking about then you bought from the wrong company. If they can't give it to you post back. Rob "jetspeed" wrote: > At the moment add...

copy data from master sheet new
my sheet1 is master sheet where data related to all continent is entered. e.g. A B C D ............. BY 1 America US Big 1 8-Jun-09 2 Europe Britain Big 3 9-Jun-09 3 America Canadan Medium 7 9-Jun-09 Here column BY contains data entry date. I have another sheet (named today data file) which should contain all data which has been entered in master data sheet today only.I am using today () function.Now in master sheet ...

Add a new record via a popup form
A patient can have multiple referrals. frmPatients holds the patient information and fsubReferrals hold the referral information. On fsubReferrals, instead of using the basic add a new record approach (DoCmd.GoToRecord , , acNewRec) and editing the form directly, I'd like the user to click on a "Add New Referral" button and enter the information in a popup form (frmNewReferral). When done, he hits a "Save" button on the popup form, the popup form closes, and the information appears in frmReferrals (where the fields are visible but not enabled). (If the user needs to e...

sending email to child domain on non-exchange server
I've got exchange using domain xyz.com. I want all mail sent to domain.xyz.com sent to a non-exchange server on our network. Is it as simple as editing the recipient policy and unchecking the 'this exchange org is responsible for all mail to this domain' ? Or does an SMTP connector need to be created? http://support.microsoft.com/kb/321721/en-us Nue "knightly" <knightly@discussions.microsoft.com> wrote in message news:F8333BE3-1DB0-4793-8D82-B0BDE4A3BB16@microsoft.com... > I've got exchange using domain xyz.com. I want all mail sent to > domain.xyz....

Moving Messages etc. to new computer
Can anyone tell me how to get my messages (inbox, sent meassgaes etc.) and contacts from my "old" computer to my new computer?? I am using Outlook Exprees on both and want to get all my old information on the new computer so I don't lose it. Thanks. "Greg Polly" <paulk15@sympatico.ca> wrote in message news:17dbc01c44981$d749e6d0$a101280a@phx.gbl... > Can anyone tell me how to get my messages (inbox, sent > meassgaes etc.) and contacts from my "old" computer to my > new computer?? I am using Outlook Exprees on both and > want to get al...

transferred docs to new computer, getting errors on some
Version: 2004 Operating System: Mac OS X 10.6 (Snow Leopard) Hi - I transferred word and excel documents (Office 2004) from eMac OSX 10.3.9 to minimac 10.6.3, with a memory stick. I have updated word on the new mac. <br> Some word and excel documents won't open because of error:Might not be a valid work document; Excel unable to read file. <br> I compared the &quot;get info&quot; on a document that WILL NOT open and the &quot;get info&quot; on a doc that WILL open: <br> In the preview section for the WILL NOT open document there is Word logo in bl...

make it simple to transfer mail to a new pc outlook sucks
after reading and trying all the diffrent options i gave up but if i want to transfer my mail to a timex watch the opyion is there and if .pst ayou have to assign the data outlook to outlook should be there i should go back to act thats there the help was no help ---------------- This post is a suggestion for Microsoft, and Microsoft responds to the suggestions with the most votes. To vote for this suggestion, click the "I Agree" button in the message pane. If you do not see the button, follow this link to open the suggestion in the Microsoft Web-based Newsreader and then c...

Unable to add extra domain
Hello I am trying to add a extra domain (SMTP) to my exchange 2003 server, installed on a windows 2003 dc server. The server is working fine on the default domain, company.local, but when I try to add company.com in the exchange admin thing looks ok, but the server will not accept mail to company.com, when I try to send mail, I get the "550 5.7.1 Unable to relay for user@company.com" If I try user@company.local every thing works fine. In the metabase under LM\SMTPSVC\1\domain there is only the the default domain company.local so I guess that why the server will not receive m...

Receiving mail from another domain?
Hello, We have a consultant that is working in our office for the next few months, and I would like to know if it's possible for her to receive e-mail from her other e-mail address along with the e-mail address that we provided for her when she started for our company. she should set up forwarding on her other email address, to forward to the one at your office... -- Susan Conkey [MVP] "Andrew" <Andrew@discussions.microsoft.com> wrote in message news:3FB45B37-7325-47FD-9A90-4F9DC991A041@microsoft.com... > Hello, > > We have a consultant that is working in...

Looking for beta sites for new exchange indexing appliance
We are a software company that provides an appliance that indexes exchange allowing users to search and find email using a browser based interface. What is unique about our product is: - we perform indexing as the exchange database is backed up. - we index at very high speeds - over 5,000 emails per second - we perform full content and metadata indexing - we provide internet like search speed and ease of use - for email - we are scalable to billions of emails and attachments. We are looking for beta sites as our email product is still in beta. It is solid - so this is not an early test...

Move Exchange 5.5 to new HW
Thanks Mark Arnold and Kirill S. Palagin, I already join site w/ the old server. Now I perform Step 2: 2. In the old server's Information Store properties, change the location of the mailboxes' Public Folder server to be the new server. This will take care of any newly created public folders. (You'll have to stop and restart the Exchange services before this will take effect.) Question: 1. Where can I found the "Information Store properties" pages? 2. Should I upgrade to SP4 and install NAV before step 1? Regards, Chris Lee Chris Lee wrote: > Thanks Mark Arnold a...

Moving license to a new computer
I bought a powerbook and am giving the kids my old imac. I'd like to move Office to the powerbook and remove it from the imac. Am I going to run into any technical difficulties doing this? In article <do3en0hjuiv1jrgsan1tlf23demblohh9p@4ax.com>, Andrew D <andrew.davilman@mindspring.com> wrote: > I bought a powerbook and am giving the kids my old imac. I'd like to > move Office to the powerbook and remove it from the imac. Am I going > to run into any technical difficulties doing this? Shouldn't. Run the Remove Office application on the iMac, and inst...

How to enable envelope in systray for new mail?
Hi, I'm using MS Outlook 2003 (WinXP). At the beginning, when a new mail arrived envelope appeared in systray, Outlook was minimized to systray too. But, once upon in time, I clicked on this envelope and choosed 'hide', and now, I don't know how to enable it again, It drives me mad, because I don't see when a new mail arrives. Of course there is a alert but it lasts for a few seconds, If i'm not near the computer, I'll not see it. How to enable that envelope for new mails? (unread mails) -- razor Tools->options->email options->advanced email options. ...

Restoring Exchange 2000 to new SBS hardware
We have just bought a new RAID server to replace our existing IDE SBS 2000 server and so far i've managed to replicate the Active Directory info to a temporary Windows 2000 server, taken it offline, and replicated it to our new server using the exact same machine name. I've managed to seize the FSMO roles and can get an existing workstation to log on to both the old and new servers, but i'm having problems installing Exchange 2000 back on to the new server. On running the installation file from the third SBS CD, i initially got the error message:- The component "Micro...

Changing the Default Address Book for all Domain Users in Outlook
After much searching and not coming up with much, I've worked out a way of setting this centrally from login scripts - it's a bit messy though and you'll need some tools available to your users centrally. 1. Download a registry modification monitor. Run it, get a dump of the HKEY_USERS area of the registry (this is where the information is kept). I used SpyMeTools as it's free! 2. Change your default address book to the one you want to use in Outlook. In OL2003, this is done through "Tools", "Address Book", "Tools", "Options". 3. Ru...

making a new checkbox... that checks or unchecks
I added a checkbox, experimented with the properties. I can uncheck the box by changing the "Value" box to false or check the box by changing the "Value" box to true. I would like to just check or uncheck the box, but Excel will not do that. Am I in the correct mode or what? > Am I in the correct mode or what? Or what, most likely. My guess is it's a checkbox from the Control ToolBox and you're still in Design Mode. The first button on the CTB should be "Exit Design Mode" ; if it looks "pressed in" (it's a toggle) just click it. HT...

add new record if not found in search
I have a combo box that lists all projects. I want to use it to search the form (which has status records for some of the projects) and if it finds a match position the cursor for the user to start editing the record. That part works swell. If there is no match I want to add a new record, populate a few fields, and position the cursor for the user to start entering data. How do code "if there isn't a match" ? I'm going to assume that you are not adding new entries to the list of projects. That the combo box is not bound and is in the form header of a continuous form...

domain name
Does the domain name really matter, when I used NT4.0 it didn't matter but with all the extra peices with SBS do I need to be careful with what I call the domain? What is the best practice for setting up a domain name for our net work? If I have a website should I use that for the server domain name, example CompnanyName.com? I notice that the orginal install had the domain name as CompanyName.local, is this a better set up? Additionally, I do plan to use Exchange Server but not at first. Thank you for your assistance with this question. -- mjb --------------------...