[THIN] Re: attention active directory design gurus..again

• From: "Ron Oglesby" <roglesby@xxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Tue, 16 Sep 2003 13:58:37 -0500

Inline.

Ron Oglesby
Senior Technical Architect
 
RapidApp
Office 312.372.7188
Mobile 815.325.7618
email roglesby@xxxxxxxxxxxx
 

-----Original Message-----
From: Joe Shonk [mailto:joe@xxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, September 16, 2003 11:43 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: attention active directory design gurus..again

Comment's inline.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Brian Lilley
Sent: Tuesday, September 16, 2003 8:34 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: attention active directory design gurus..again

Thanks for your response Big Ron...further question for you...

Firstly, yes we have a one way trust between the two forests, i.e. our
new
shiney forest trusts the existing forest via an NTLM job apparently as
Kerberos needs two way transitive or some such.. 

Just to be sure that I understand what you are saying...If I am applying
a
GPO to an OU which holds the farm servers, both the computer and user
policy
settings will apply to the users coming in from the other forest?

->Yes, just be sure to set the GPO setting for loopback processing
[Ron] xactly. I would not only do loopback I would also run it at
REPLACE 

I was wondering what security context the forest users will pop up into
the
server farm as.  The plan is that we would not have any users configured
in
our farm.  Would they be 'domain users'? I think this was the case with
NT4... or would they popup under the 'Everyone' group?

->They will should up under the trusted domain name.  You will be able
reference the individual users/groups for that trusted domain.
[Ron] Joe is the man.

thanks for your help once again...

Brianos :o)

-----Original Message-----
From: Ron Oglesby [mailto:roglesby@xxxxxxxxxxxx]
Sent: 16 September 2003 15:45
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: attention active directory design gurus..again


Comments in line

Ron Oglesby
Senior Technical Architect
 
RapidApp
Office 312.372.7188
Mobile 815.325.7618
email roglesby@xxxxxxxxxxxx
 

-----Original Message-----
From: Brian Lilley [mailto:Brian.Lilley@xxxxxxxxxxxxx] 
Sent: Tuesday, September 16, 2003 8:57 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] attention active directory design gurus..again

What I know about AD design could be written on the back of a stamp...so
brace yourselves..

I am building a Citrix farm which will exist in its very own autonomous
AD
forest which will be bolted next to a customers existing forest....don't
ask...its a long story..

The result is, that the users for this farm will come from a totally
seperate AD forest.

What would be the best AD design for this particular configuration...my
thoughts are :-

an overall OU called FARM1,
within the FARM1 OU, are additional OU's 1 for domain controllers, 1 for
Nfuse servers and 1 for the farm XPE servers

[Ron] Leave the Domain Controllers in the DCs container

My questions are these

1. when the users enter the farm from an external forest, what group
would
they come under? i.e.  where would I apply the AD GPO in order to
restrict
them... I'm guessing that the GPO being applied to the XPe servers would
restrict these users?? 

[Ron] This would one of two things, 1-either they have accounts in this
new forest or 2- you have a cross forest trust or external trust between
their domain and yours.  In either case I would apply GPO loopback
processing on my MetaFrame server OU and dictate the GPO settings they
get when they login

2. what sort of GPO would I apply to the domain controllers?
[Ron] Use the domain controllers container if it is already in its own
forest. No need to move the DCs out of there. Users will not have access
to these anyway

3. what sort of GPO would I apply to the nfuse servers?
[Ron] Well you can do anything here. I woul not make the Nfuse servers
part of the domain if they were going to be exposed to the internet. If
not and they are purely internal then I would use a standard domain GPO
to secure their login access, maybe do some directory and file
permissions etc. All the stuff you would normally do manually on an IIS
server.

I think I'd better read the AD book again...boohoohoo





Brian Lilley
Systems Integration

m +44 (0)7929 002501  
t   +44 (0)1249 665421
e  brian.lilley@xxxxxxxxxxxxxx



**********************************************************************
The information contained in this e-mail message is intended
only for the individuals named above.  If you are not the 
intended recipient, you should be aware that any 
dissemination, distribution, forwarding or other duplication 
of this communication is strictly prohibited.  The views 
expressed in this e-mail are those of the individual author 
and not necessarily those of Vivista Limited.  
Prior to taking any action based upon this e-mail message 
you should seek appropriate confirmation of its authenticity.
If you have received this e-mail in error, please immediately 
notify the sender by using the e-mail reply facility.
**********************************************************************


_____________________________________________________________________

This message has been checked for all known viruses on behalf of Vivista
by MessageLabs. 

http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx

Vivista formerly Securicor Information Systems for further information
http://www.vivista.co.uk  

********************************************************
This Week's Sponsor:  ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

_____________________________________________________________________

This message has been checked for all known viruses on behalf of Vivista
by
MessageLabs. 

http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx

Vivista formerly Securicor Information Systems for further information
http://www.vivista.co.uk  



**********************************************************************
The information contained in this e-mail message is intended
only for the individuals named above.  If you are not the 
intended recipient, you should be aware that any 
dissemination, distribution, forwarding or other duplication 
of this communication is strictly prohibited.  The views 
expressed in this e-mail are those of the individual author 
and not necessarily those of Vivista Limited.  
Prior to taking any action based upon this e-mail message 
you should seek appropriate confirmation of its authenticity.
If you have received this e-mail in error, please immediately 
notify the sender by using the e-mail reply facility.
**********************************************************************


_____________________________________________________________________

This message has been checked for all known viruses on behalf of Vivista
by
MessageLabs. 

http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx

Vivista formerly Securicor Information Systems for further information
http://www.vivista.co.uk  

********************************************************
This Week's Sponsor:  ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

********************************************************
This Week's Sponsor:  ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again
• » [THIN] Re: attention active directory design gurus..again

1. Home
2. thin
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---