1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

AD design question

Discussion in 'Windows Server System' started by AKP, 2009/04/20.

  1. 2009/04/20
    AKP

    AKP Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    10
    Likes Received:
    0
    I manage a single Windows 2003 domain. We have ten vendors with 1-3 servers each that will need local admin rights and VPN access to manage their applications. I could use some advice on how to add them to our domain. I was thinking that I could try one of the following:

    1. I join all the servers to our single domain and manage rights with OUs.
    2. Create one child domain for each vendor to manage rights.
    3. Create one domain for all vendors and separate OUs within this domain for each vendor.
    4. Other

    Any comments would be appreciated.

    Thanks, Andrew

    Additional information:
    All of the vendor’s servers are physically located on our campus. We would like to provide for the vendor’s servers DNS, Print services, AV, WSUS and Backup.

    Users in our root domain will need to access the various applications the vendors are providing on these servers. At the same time the vendors will need admin rights to these servers. The trustworthiness of the various vendors IT departments is the #1 concern. We need to protect our root domain.
     
    AKP,
    #1
  2. 2009/04/22
    AKP

    AKP Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    10
    Likes Received:
    0
    After some reading I’ve concluded that creating a new domain for each vendor would be the most secure, however it’s not recommended. The added complexity, added admin resource and the added hardware resources for 10+ domains aren’t in balance with the added security. It looks like I’m down to options 1 and 3.
     
    AKP,
    #2


  3. to hide this advert.

  4. 2009/04/24
    AKP

    AKP Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    10
    Likes Received:
    0
    I’ve read in more then one AD design doc to use as few domains as possible.
    So, it looks like I’ll create OUs for each vendor and give them local admin access only. This way they’ll have access only to the systems they need and I can avoid giving out AD accounts to multiple vendors.

    Does anyone have a view on this plan?
     
    AKP,
    #3
  5. 2009/04/24
    bilbus

    bilbus Inactive

    Joined:
    2006/09/02
    Messages:
    97
    Likes Received:
    4
    Each domain would require atleast 1 domain controler.

    Best bet would to have 1 domain, with 3 member servers (non domain controlers).

    OUs won't do anything for you, as you are not delegating control ... you are granting them local admin rights.

    If you needed more security, you could have your forest, and add a second forest with all 3 vendor servers (and a domain controler) This would keep their stuff seperate from yours. But thats overkill. If they don't need AD access best bet would be to do the first option.

    Also gfive them local users, or remove their domain user from "domain users" so they have acces to nothing other then their server.

    Don't make them domain admins, just local admins to respective servers
     
    bilbus,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...