AD sites&subnets vs domain trusts
Setup:
Our company has an administrative top level domain called (for example) bean.com.
Each site gets their own domain sublevel [NameOfCity].bean.com with (of course) their own domain controllers and their own entry in Sites and Services.
This works fine.
- In our local site we have our own administrative subdomain domain (ex: mycity.bean.com) and production domain (ex: prod.local).
- There is a one way trust relation set up between the two where mycity.bean.com can authenticate on prod.local.
This also works fine.
- The computer host-a (Windows 2012R2) is member of the prod.local domain and has an application which must be able to authenticate users from city.bean.com.
- The application is configured with a service account from the prod.local domain.
The web interface (its own engine, not IIS) this application presents, is able to authenticate users from mycity.bean.com without issue ... i.e.: this works fine.
Change:
The prod.local domain needs to be expanded which involves the creation of a new site with new subnets.
Before adding domain controllers, I wanted to create the site with its subnets. For this, the steps in the link below have been followed
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
with the following difference:
- Default-First-Site-Name was already renamed to a more appropriate name, so this becomes SiteA
- SiteA already contains all the required subnets
- SiteB did not yet contain any domain controllers since this was in preparation
- No new Site Link has been created, the default one was modified to contain both sites in prod.local and replication Interval has been set to 15min.
Result:
The previously mentioned application can no longer authenticate users from mycity.bean.com.
However, using accounts from mycity.bean.com, I can still logon (RDP) to all hosts of prod.local.
The application appeared to be the only one impacted and reverting the changes in Sites and Services on the prod.local domain restores the functionality in the application.
Question:
The domain bean.com has, as already mentioned, its own series of sites with their own subnets.
The new site in prod.local has subnets with overlapping ranges in bean.local
The new site in prod.local contains no domain controllers
--> Could this overlap be the cause, the lack of domain controllers in the newly created site or am I missing something else?
active-directory windows-server-2012 domain microsoft trust
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
add a comment |
Setup:
Our company has an administrative top level domain called (for example) bean.com.
Each site gets their own domain sublevel [NameOfCity].bean.com with (of course) their own domain controllers and their own entry in Sites and Services.
This works fine.
- In our local site we have our own administrative subdomain domain (ex: mycity.bean.com) and production domain (ex: prod.local).
- There is a one way trust relation set up between the two where mycity.bean.com can authenticate on prod.local.
This also works fine.
- The computer host-a (Windows 2012R2) is member of the prod.local domain and has an application which must be able to authenticate users from city.bean.com.
- The application is configured with a service account from the prod.local domain.
The web interface (its own engine, not IIS) this application presents, is able to authenticate users from mycity.bean.com without issue ... i.e.: this works fine.
Change:
The prod.local domain needs to be expanded which involves the creation of a new site with new subnets.
Before adding domain controllers, I wanted to create the site with its subnets. For this, the steps in the link below have been followed
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
with the following difference:
- Default-First-Site-Name was already renamed to a more appropriate name, so this becomes SiteA
- SiteA already contains all the required subnets
- SiteB did not yet contain any domain controllers since this was in preparation
- No new Site Link has been created, the default one was modified to contain both sites in prod.local and replication Interval has been set to 15min.
Result:
The previously mentioned application can no longer authenticate users from mycity.bean.com.
However, using accounts from mycity.bean.com, I can still logon (RDP) to all hosts of prod.local.
The application appeared to be the only one impacted and reverting the changes in Sites and Services on the prod.local domain restores the functionality in the application.
Question:
The domain bean.com has, as already mentioned, its own series of sites with their own subnets.
The new site in prod.local has subnets with overlapping ranges in bean.local
The new site in prod.local contains no domain controllers
--> Could this overlap be the cause, the lack of domain controllers in the newly created site or am I missing something else?
active-directory windows-server-2012 domain microsoft trust
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
add a comment |
Setup:
Our company has an administrative top level domain called (for example) bean.com.
Each site gets their own domain sublevel [NameOfCity].bean.com with (of course) their own domain controllers and their own entry in Sites and Services.
This works fine.
- In our local site we have our own administrative subdomain domain (ex: mycity.bean.com) and production domain (ex: prod.local).
- There is a one way trust relation set up between the two where mycity.bean.com can authenticate on prod.local.
This also works fine.
- The computer host-a (Windows 2012R2) is member of the prod.local domain and has an application which must be able to authenticate users from city.bean.com.
- The application is configured with a service account from the prod.local domain.
The web interface (its own engine, not IIS) this application presents, is able to authenticate users from mycity.bean.com without issue ... i.e.: this works fine.
Change:
The prod.local domain needs to be expanded which involves the creation of a new site with new subnets.
Before adding domain controllers, I wanted to create the site with its subnets. For this, the steps in the link below have been followed
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
with the following difference:
- Default-First-Site-Name was already renamed to a more appropriate name, so this becomes SiteA
- SiteA already contains all the required subnets
- SiteB did not yet contain any domain controllers since this was in preparation
- No new Site Link has been created, the default one was modified to contain both sites in prod.local and replication Interval has been set to 15min.
Result:
The previously mentioned application can no longer authenticate users from mycity.bean.com.
However, using accounts from mycity.bean.com, I can still logon (RDP) to all hosts of prod.local.
The application appeared to be the only one impacted and reverting the changes in Sites and Services on the prod.local domain restores the functionality in the application.
Question:
The domain bean.com has, as already mentioned, its own series of sites with their own subnets.
The new site in prod.local has subnets with overlapping ranges in bean.local
The new site in prod.local contains no domain controllers
--> Could this overlap be the cause, the lack of domain controllers in the newly created site or am I missing something else?
active-directory windows-server-2012 domain microsoft trust
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
Setup:
Our company has an administrative top level domain called (for example) bean.com.
Each site gets their own domain sublevel [NameOfCity].bean.com with (of course) their own domain controllers and their own entry in Sites and Services.
This works fine.
- In our local site we have our own administrative subdomain domain (ex: mycity.bean.com) and production domain (ex: prod.local).
- There is a one way trust relation set up between the two where mycity.bean.com can authenticate on prod.local.
This also works fine.
- The computer host-a (Windows 2012R2) is member of the prod.local domain and has an application which must be able to authenticate users from city.bean.com.
- The application is configured with a service account from the prod.local domain.
The web interface (its own engine, not IIS) this application presents, is able to authenticate users from mycity.bean.com without issue ... i.e.: this works fine.
Change:
The prod.local domain needs to be expanded which involves the creation of a new site with new subnets.
Before adding domain controllers, I wanted to create the site with its subnets. For this, the steps in the link below have been followed
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
with the following difference:
- Default-First-Site-Name was already renamed to a more appropriate name, so this becomes SiteA
- SiteA already contains all the required subnets
- SiteB did not yet contain any domain controllers since this was in preparation
- No new Site Link has been created, the default one was modified to contain both sites in prod.local and replication Interval has been set to 15min.
Result:
The previously mentioned application can no longer authenticate users from mycity.bean.com.
However, using accounts from mycity.bean.com, I can still logon (RDP) to all hosts of prod.local.
The application appeared to be the only one impacted and reverting the changes in Sites and Services on the prod.local domain restores the functionality in the application.
Question:
The domain bean.com has, as already mentioned, its own series of sites with their own subnets.
The new site in prod.local has subnets with overlapping ranges in bean.local
The new site in prod.local contains no domain controllers
--> Could this overlap be the cause, the lack of domain controllers in the newly created site or am I missing something else?
active-directory windows-server-2012 domain microsoft trust
active-directory windows-server-2012 domain microsoft trust
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
edited Dec 28 '18 at 16:35
GapWim
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
asked Dec 28 '18 at 9:11
GapWimGapWim
138111
138111
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388365%2fad-sitessubnets-vs-domain-trusts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1388365%2fad-sitessubnets-vs-domain-trusts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
