Active Directory: Global AD environments in a one-tree structure

Check out this series of responses to reader questions from Active Directory expert Laura E. Hunter. This compilation covers topics such as how to set up a global AD environment in a one-tree structure and preventing users in a domain from logging on to multiple clients at once.

The following is a collection of expert responses to reader questions by Laura Hunter.

I have a Windows Server 2003/Active Directory/domain-based network with XP-pro workstations -- patched current. Some of the workstations are connecting via Wi-Fi and I find that the connection is more reliable if those workstations use peer-based configurations. There is no problem with server resources, but I am having issues with printing from the peer-based computers to printers that are shared on XP domain members. Shares on Win2k domain members work fine, but XP will not pass the print job. Printing from other XP domain members also works fine. Is there a local GP security setting that I am missing?

Laura Hunter: In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.

My problem is, I created users in a domain that can log on to any client, however, I want to prevent them from logging on to multiple clients at once. Can you help?

LH: In Windows Server 2003, you can implement the LimitLogon utility to help ensure that a user will only be able to log onto the network from a single station at any time. You can download this tool from Microsoft here.

I am new to Active Directory. Our company would like to setup an AD environment globally in one-tree structure with three regional roots: AP zone, American zone and Europe zone. I understand the normal way to go is to setup a global root, then start implementing with all the policies and configuration down to the root of the three regional zones, then the sub-zone of the regional zones. However, we would like to setup our zone first (we are one of the regional zones) then later down that track, we would join the root and form a triangle zone with the remaining two zones. I would like to know:

1) Is it possible to join the root if we do it in a bottom up approach rather than a top down approach?

2) Apart from the naming convention (already agreed globally) would there be other things that need to be standardized globally? My concern is that if the root is going to use different standard (rather than the naming convention) we may have to redo the whole thing again to make our region join back to the root.

3) Would the effort be bigger to do it this way rather than the top-down approach?

LH: The first domain that you create in an AD forest becomes the forest root domain. This domain must remain the forest root for the lifetime of the AD forest; it cannot be restructured to become the child of another domain without rolling up or migrating to a new forest.

If you wish to pilot AD in a child organization before the parent orgs are ready, you will probably need to use the Active Directory Migration Tool or another third-party migration tool to restructure your forest environment later down the line. If you have decided as an organization that you will be moving to AD anyway, my best recommendation would be to plan and perform the entire rollout as a single, rational process, rather than launching ahead with a small portion of the upgrade that will likely need to be re-done at a later time. This includes determining a consistent naming convention for your DNS and AD domain names and zones, as well as organizational and naming conventions for your user and computer objects.


Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at laurahcomputing@gmail.com.
This was first published in January 2006

Dig deeper on Microsoft Windows Server 2003 Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close