Active Directory question 2

[glen812]

Hi All,
I have an Active Directory question for you (let me know if there is a better Forum for this question). This may be somewhat long so bear with me. I am the director of IT in an originally small company (one root domain xxx.com, one office) with all servers (development, production, and corporate) under that root domain. We have grown substantially in the past 2 years. We now have 3 remote offices and our Production systems have been moved to a SaS 70 Co-location. I have in the past year created several child domains under our root domain for separation of services and environments (i.e. root = xxx.com, child1 = development.xxx.com, and child2 = production.xxx.com). All employees have corporate ID’s in the corporate root domain (xxx.com). Anyone needing to access to child domains need to have accounts in those child domains (except for admins, they can use their xxx.com ID’s to access anything they need to). We have primary and backup domain controllers in each remote office for each root and child domains.
Recently the CTO is on a “Single Sign on” kick. Meaning he would like employees to be able to access all domains with their corporate ID’s seemingly by passing the security boarders of the domains. I realize we can do this, but is it the right thing to do? He fails to see the security that the child domains create. What can I tell him? Does anyone know of, or have a similar setup or been in a similar situation?

Thanks for you input!

 

[dberg35]

I have a similar network as well and all I have done sice being there is create separate OU's and established a Group Policy for what each OU needs. By doing this everyone maintains one user account.

 

[Davetoo]

Have you established trusts between all of the parent/child domains across your WAN?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

dberg35 – Thanks for your post. We originally did the same. A few reasons why I decided to go to domains is we have external clients that connect to applications in our production environment, that require user ID’s. I didn’t want to create them in our corporate root domain, so I created a child domain for our production environment. The development team wanted total control over their environment, and we wanted to keep the development environment as close of a mirror image of production we as could, so I created the child domain for production. Do you feel the OU and Group policy is as secure? We do you group policies in our domains.

DaveToo – Thanks for you post as well. I understand about the Pdc / Bdc. I still call them that. Maybe I shouldn’t, but since quite a bit of my experience comes from the NT days… I do.

 

[Davetoo]

...that's just my sig line...you didn't answer my question, so good luck with your issue.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

Sorry Davetoo... I didn't answer you question. Yes, I have one way trusts between the root to the two child domains.

 

[58sniper]

Making them 2-way may help with your goal.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Davetoo]

Pat is correct...they need to be two way trusts...problem solved.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

Pat, Davetoo – Thanks for your time. Correct me if I’m wrong, but if I create 2 way trusts that would allow someone using a development login ID to be able to access services in the root domain. Yes? That’s not what I want to do (I don’t think). The CTO may, but not me.

So I guess the real question is, is there any security benefit to having the child domains?

Is it better to do what dberg35 is doing and just have a root domain and control who logs into what with OU’s and group policy?

 

[Davetoo]

They can only access objects in the other domains if you give them access. You still control who has access to what through NTFS permissions.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

Got it. So, in that case my next question is, how is that different then using just 1 root domain and controlling access with OU's and group policy?

 

[Davetoo]

Are you in control of all of the child domains as well as the parent domain?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

I am.

 

[Davetoo]

Why the need to separate the domains environments in the first place? given that all users exist in the parent domain.

I'm also a bit unclear as to how your trust is setup. Who trusts what?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

The Domains are setup so that the root domain (xxx.com) has access to the child domains (development.xxx.com and production.xxx.com) but not the other way around. I also put the development and production child domains on a different subnet for even more separation. One reason for this was the virus factor. Virus’s infecting the corporate or development subnets couldn’t jump across to production and wreak havoc there. Another reason was that I also wanted to give the engineering group full control of their environment and not effect corporate or production servers / environments. Another reason was for the remote offices. I setup the AD According to the Microsoft Branch Office Active directory installations best practices (for the most part).

Now, we don’t have 100 branch offices. It’s more like 10 and a remote data center.

 

[Davetoo]

Ok, well, I wouldn't have done it that way. In fact, I'm in the middle of undoing just that from my sites that was done that way eight years ago (I've lived with it up until now). I'm getting rid of the child domains and going to one domain and controlling everything through OU's. But to do that...you have to have a single domain structure.

As for the virus jumping...well, a good antivirus routine eliminates the concern there.

I'd go to one domain, use OU's to assign access along with NTFS.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[glen812]

Hmmm. Ok. I just may end up doing that now while we only have 2 child domains to be concerned about. Do you have any security fears at all with going that route? We do use anti-virus on our servers and desktops so my virus concerns aren't truly an issue. Probably more of me over thinking the issue.
One other reason for me creating the production child domain is we have outside clients that need a domain ID to access some applications. I do use OU and Group policy to controll what server/s they can reach there.

 

[Davetoo]

I don't have security fears of my users, no. It's my job to control what they can and can't access, and I'm confident that I'm doing a good job.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[58sniper]

I just had a client where we flattened 29 child domains up to the parent. The administration is now MUCH more streamlined.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[glen812]

Thanks Guys!

I appreciate your input. Looks like I have to reconsider some passed decisions… And maybe update my knowledge.