Active Directory Question

[Warder45]

I'm a complete AD newb so please bare with me on my use of terms. Our situation looks like this, all of the departments in our organization are in one AD tree, our subnet however has been allowed to continue to be seperate (meaning most importantly control of our network) and thus we have our own NT domain controllers. We are currently looking at upgrading them to 2000 or 2003 but that means switching over to AD and were afraid that would lead to a loss of control over our part of the network. What we would like to have happen is to use AD but still stay independent and not be forced anything from higher parts of the AD tree. Something like a autonomous branch or maybe a whole seperate tree, but still connected to the whole network. Again I'm sorry if I'm useing terms wrong or this is a really simple question but my AD knowledge is pretty low at the moment.

 

[dawks]

So your company has an active directory domain, and you're a small subset of that company or a separate office, and now you want your group to have an active directory domain, but still have access to the rest of the network without giving up control of your network..

You could create a new active directory forest domain, and then create trusts with the other domain. This should work... I can't remember the deal with trusts in AD..

Or you could create a subdomain in the current forest, but I believe the admin of the forest would have access to your domain with this method.

 

[JoeyHall]

-

 

[dphantom]

Your situation is not uncommon and is really more procedural issue than anything else. Dawks points one way of doing this, but by moving to AD, you will have to interact with the Enterprise administrator who probably is not in your department.

The Enterprise administrator really has control over how AD will be structured, whther forests are created etc... And that means s/he can control your stuff too.

The most likely event if you get on s/he good side is you can manage your part of the AD but most likely, the Enterprise admin will have control over all including your part.

 

[owensdj]

What many organizations do is use subdomains. For example, if your domain is acme.com, you could have accounting.acme.com and marketing.acme.com. Each of these new DNS zones would have its own Windows Server 200X machine acting as the authoritative DNS server for that domain. Each new zone would have its own TCP/IP subnet. You would be able to set up an adminstrator for each subdomain that would have the ability to do just about anything within that domain.

You would definately want to switch your NT 4.0 servers to Windows Server 2003, since NT 4.0 doesn't support AD.

 

[Warder45]

Thanks to everyone so far, I guess this isn't looking good. We can not have a situation where the enterprise admin can have the ablity to push anything on us.

dphantom, I'm a little unclear, are you saying as long as we get the enterprise admin to set up our AD domain with us in full control they won't be able to push anything on us? and that the problem will be getting the enterprise admin to set it up this way? Or are you saying that no matter what once we go to AD they can push on us, but we can try and get the enterprise admin's word that they won't?

owensdj, I'm not sure I get what your saying, we are already a subdomain. The problem is that once we move to AD someone higher up on the chain, outside our department, has control over our subdomain, where as right now we, internally, are the only ones that have control.

Thanks again.

 

[TXJustin]

As far as a subdomain, the admin of company.com will always have control fo subset.company.com. If you think about it, it's foolish for them not to.

It really depends on what kind of control you don't want the other admins to have on your network, and what access you need to their network. The best option would probably be a separate domain with trusts in place. However, realize that if there is a resource in domain A that you want your users to have access to, likely no one on your domain will have the ability to grant them access to it. Technically, it's possible -- but in reality, I can't see an admin of domain A being OK with giving people in domain B heavy access to his/her network when he/she doesn't have jack for access in domain B.

 

[dphantom]

Originally posted by: Warder45
Thanks to everyone so far, I guess this isn't looking good. We can not have a situation where the enterprise admin can have the ablity to push anything on us.

dphantom, I'm a little unclear, are you saying as long as we get the enterprise admin to set up our AD domain with us in full control they won't be able to push anything on us? and that the problem will be getting the enterprise admin to set it up this way? Or are you saying that no matter what once we go to AD they can push on us, but we can try and get the enterprise admin's word that they won't?

owensdj, I'm not sure I get what your saying, we are already a subdomain. The problem is that once we move to AD someone higher up on the chain, outside our department, has control over our subdomain, where as right now we, internally, are the only ones that have control.


Thanks again.

See TX response. That's what I meant. Someone is the AD "god" somewhere. And it will most likely be outside your domain, sub domain or forest. And as TX states, that person is unlikley to grant you permission to his domain to the level you think you need.

I go back to the procedureal issue this really is. Knowing that someone other than your group will have ultimate control is not a bad thing provided your company put in place organizational controls over what an enterprise admin can do and how they must communicate with your group before being able to do anything.

Get your management involved, this happens often and can be solved but it will take give and take on both sides.

 

[Warder45]

Originally posted by: TXJustin
As far as a subdomain, the admin of company.com will always have control fo subset.company.com. If you think about it, it's foolish for them not to.

It really depends on what kind of control you don't want the other admins to have on your network, and what access you need to their network. The best option would probably be a separate domain with trusts in place. However, realize that if there is a resource in domain A that you want your users to have access to, likely no one on your domain will have the ability to grant them access to it. Technically, it's possible -- but in reality, I can't see an admin of domain A being OK with giving people in domain B heavy access to his/her network when he/she doesn't have jack for access in domain B.

Thanks, thats how it works right now. We have to get special username / password to get access to the rest of the network, of course the same works for them getting into our subdomain. This works fine for us, we just need to make sure that this can still be setup with AD.

 

[Warder45]

Originally posted by: dphantom

Originally posted by: Warder45
Stuff

See TX response. That's what I meant. Someone is the AD "god" somewhere. And it will most likely be outside your domain, sub domain or forest. And as TX states, that person is unlikley to grant you permission to his domain to the level you think you need.

I go back to the procedureal issue this really is. Knowing that someone other than your group will have ultimate control is not a bad thing provided your company put in place organizational controls over what an enterprise admin can do and how they must communicate with your group before being able to do anything.

Get your management involved, this happens often and can be solved but it will take give and take on both sides.

Well getting the Enterprise Admin to do something once shouldn't be a problem, ie setting up our domain, he has bosses and we can go above him/her if needed. Unfortunately it seems like it's not just once and my bosses do not want the AD "God" to be able to do anything to our subdomain. Seeing as not useing AD is an option that we can still take, and it fits with the level of control we want, the bosses are able to be a little less flexible. However Server 2003 requires AD and thus we are taking a look at it, because at some point we might be forced into useing it. Another reason we don't want to rely on documents and agreements is more political, in that we are one of the few departments left with our own IT staff. Losing more control would give more support that we should be dissolved and outsourced. Thanks again for all the help.