AD design question
Results 1 to 5 of 5

Thread: AD design question

  1. #1
    Join Date
    Jun 2002
    Location
    Ann Arbor MI
    Posts
    134

    AD design question

    I manage a single Windows 2003 domain. We have ten vendors with 1-3 servers each that will need local admin rights and VPN access to manage their applications. I could use some advice on how to add them to our domain. I was thinking that I could try one of the following:

    1. I join all the servers to our single domain and manage rights with OUs.
    2. Create one child domain for each vendor to manage rights.
    3. Create one domain for all vendors and separate OUs within this domain for each vendor.
    4. Other

    Any comments would be appreciated.

    Thanks, Andrew

  2. #2
    Join Date
    Jun 2002
    Location
    Ann Arbor MI
    Posts
    134
    Additional information:
    All of the vendor’s servers are physically located on our campus. We would like to provide for the vendor’s servers DNS, Print services, AV, WSUS and Backup.

    Users in our root domain will need to access the various applications the vendors are providing on these servers. At the same time the vendors will need admin rights to these servers. The trustworthiness of the various vendors IT departments is the #1 concern. We need to protect our Root domain.

  3. #3
    Join Date
    Jun 2002
    Location
    Ann Arbor MI
    Posts
    134
    After some reading I’ve concluded that creating a new domain for each vendor would be the most secure, however it’s not recommended. The added complexity, added admin resource and the added hardware resources for 10+ domains aren’t in balance with the added security. It looks like I’m down to options 1 and 3.

  4. #4
    Join Date
    Jun 2002
    Location
    Ann Arbor MI
    Posts
    134
    I’ve read in more then one AD design doc to use as few domains as possible.
    So, it looks like I’ll create OUs for each vendor and give them local admin access only. This way they’ll have access only to the systems they need and I can avoid giving out AD accounts to multiple vendors.

    Does anyone have a view on this plan?

  5. #5
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    That sounds like a good strategy to me. It should work for what you want to do, and help keep the administration issues to a minimum.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •