Two domains at once? or domain and workgroup...

By kchandley ·
I have to make a decision that requires some non-standard working methods in a Windows environment.

First the environment info:
1. My organization has some Windows 2003 servers at a main site, including a Windows 2003/Exchange 2007 server and some citrix servers. We run active directory 2003.

2. We have another site that has a Novell 6.5 server that we are replacing with a windows 2003 server.
3. Users at this remote site get their email across the WAN from our exchange server. They are prompted for AD credentials when doing so. They are also prompted for AD credentials when logging into our Citrix servers. That's all fine.

The problem:
You would expect that I would add the server at the other location to the domain(and make it a DC), simplifying management and authentication. Unfortunately I am forbidden from doing so. The CIO of the organization has made it aggressively clear that he doesn't want the additional WAN traffic that might create, nor problems that may occur when the WAN is flakey. (Which is frequent.) This is not open for debate.

So my options are;
1. create a seperate forest/domain at this site, or
2. leave it as a workgroup server.

I like the idea of the centralized management that a domain server presents, but I worry that if users are logged and authenticated to that domain, they will have difficulty logging into and authenticating to the citrix server and exchange server of our forest/domain. Is that a legitimate concern?

What is my best option when I am not allowed to put the server in the same forest or domain as the main site? Do I have to just setup the remote site server with local users and groups? Or is it not a problem to have users login into one active directory and then authenticate to another for access to email and citrix?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Wizard-09 In reply to Two domains at once? or d ...

don't no if this is within what your allowed to do but maybe setup a trust between the 2 domains?

Collapse -

It's the "Trust" relationships.

by Kenone In reply to Two domains at once? or d ...

You can have two domains and, if you do it right the users in one domain can access all the allowed resources in the other. It's all in the "Trusts". However, I think that setup would generate as much, if not more, network traffic than a single domain.

Collapse -

Create 2 sites

by ugadata In reply to Two domains at once? or d ...

Sites are a way to keep everything in a single domain and still seperate WAN traffic to within each site.

You would still have a domain controller at each site. Each site could have it's own DHCP, DNS, etc. And each site would have it's own subnet.

Collapse -

Cannot violate CIO's orders.

by kchandley In reply to Create 2 sites

Yes but in doing so, both servers would be part of the same active directory/domain. If I violate my bosses orders I will certainly be terminated immediately.
I understand that I can designate the amount of site traffic using the sites and services console, but I am not the CIO of the organization, and after discussing it, he has made a final decision that is not open to debate should I wish to stay employed. I wouldn't be asking the question if I was going to do the MS standard deployment of making the server part of the domain/AD and managing the traffic and trusts using the sites and services console. That was my suggestion, it was firmly denied, and is not an option.

The remote server must not be part of the main sites domain/forest/AD should I wish to keep my job. If anyone can answer the above question within the parameters designated by my superior, I will appreciate your insight.

Collapse -

Anything else

by TonytheTiger In reply to Cannot violate CIO's orde ...

will be less reliable under flaky wan conditions and generate MORE traffic.

On the other hand, you might want to ask yourself why he hired you? If it's just to be a yes-man, suggest a trained monkey with an "OK, Boss" sign as your replacement.

Collapse -


by Wizard-09 In reply to Anything else

You wouldn't tell him how to do his job he hired you for a reason because your the expert in the matter go set him straight lol

Collapse -

He tells me how to do my job, that's what makes him the boss.

by kchandley In reply to Yes

It has been made abundantly clear while I've worked here that the role of IT staff under him, is to follow orders first, and be an expert second. If I wanted to continue the debate with him, I could join the unemployment line with the last 8 people that held my job.

It's OK that he wants it done his way, I don't care about getting into a power struggle about it. I just want to know the best way to implement the solution within the parameters he has given. The only thing that matters is that he is happy. It does not matter if it is done within best practices and procedures.

Collapse -

that may be true but

by kchandley In reply to Anything else

That'd be OK as long as the "OK, Boss" sign was going to sign the paychecks over to me. Otherwise in the current economy, I'll do my job, which is not to be maverick expert, but to follow the orders I'm given. That's how corporate bureaucracy works. Where I work techs are a dime a dozen and I'm glad to have a steady job.

Collapse -


by Wizard-09 In reply to that may be true but

It was a light hearted joke, I would be the same lol hope you find the answer :-p

Collapse -


by kchandley In reply to light

Sorry if I misunderstood. I hope to find a good answer too. The parameters of the way that I must implement this solution create SOOOOOOOO much more work. But I get paid to work 9-5 either way so what difference does it make?

Related Discussions

Related Forums