Dean,
If your goal in connecting the two networks together is purely so that your
one admin workstation can connect to both networks then some of your ideas
would work just fine. Installing a 2nd NIC in your system and dropping
another cable into your workspace would be preferrable over the wireless
solution. However, if the purpose of connecting the two networks together is
so that one or more clients on either network can communicate across network
boundries then I'd recommend doing that by connecting the routers together or
using a firewall. If your routers only have one existing LAN interface and
your routers are modular, you can add another LAN interface to each router
and link them together that way. Or you can use a firewall and setup the
smaller of the two networks as a perimeter network. If you have a really old
PC lying around (it could be an old Pentium 133 w/32 mb of RAM) and a couple
of cheap NICs you could setup a crude router that would probably be fairly
stable (if $$$ were an issue and you didn't care about performance).
On the issue of the accounts and accessing resources between two companies,
I'd actually recommend, in your case, that you create two forests. While
there's few times that you'd want to complicate the AD with more than one
forest I'd actually say that there's a good case to be made in your
situation. The reason I say this is because the two companies are separate.
I'm just thinking down the line that if the companies part ways it would be
cleaner. If you were to do a single forest with two trees (one for each
company), trust relationships between the domains in the two trees would
still be transitive. If you setup a separate forest for each company then
you can setup forest trusts for single sign-on capabilities. There would be
no difference in hw costs between a single forest with multiple trees or two
forests, each with a single tree as both of them would require a minimum of 2
DCs for the most basic setup. Also, the Active Directory schema is
forest-wide. Therefore, if one of the companies deployed an application that
modifies the schema (MS Exchange, for instance) and then later gets spun off,
disbanded, or sold off to some other company, then the schema modifications
are there to stay. Once they are added there's no getting rid of them.
You'd just have to disable them.
I hope this helps.
Regards,
Steven
"dean.carrefour" wrote:
> I work in an office that contains two separate, but sort-of-related
> companies. I am the IT Manager for both. Right now, their networks are
> completely separate. I want to be able to connect them both together (maybe
> a bridge?) so that I can administer both of them from my main workstation.
> What are my options?
>
> Right now, there is only one network drop in my office, so I can only access
> one of the networks. I have thought of a couple of options, but I don't know
> which would be best:
>
> 1. Add a second network card to my machine, have another drop put in my
> office to connect me to the other network.
>
> 2. Add a wireless router to the other network (the one I don't have a
> connection to currently) and then add a wireless card to my machine.
> Basically same outcome as #1.
>
> 3. Bridge the two routers together somehow. They are both located in the
> same server room.
>
> 4. Leave the single network card in my machine, have another network drop
> added to my office, put a router in my office that has both networks
> connected to it, as well as my workstation.
>
> I want to make this as seamless as possible. Right now, the network I'm
> connected to has several Windows 2003 Servers (SQL, Exchange, Terminal
> Services, etc.), Active Directory and a domain name. It is the largest of
> the two networks by far. Both networks have their own internet connections
> and separate ip's, routers, etc.
>
> The other, smaller, network doesn't currently have a real server, just a PC
> that shares files, so its only a workgroup right now. I will be upgrading
> that network at some point in the near future with its own server, domain,
> etc.
>
> I need to be able to access, browse, connect to shares, remote desktop
> connections, administer the servers, users, printers, etc. for both networks.
> I don't want to have to login every single time I need to access something
> on the network, outside of the normal login of my machine. So I'm concerned
> about access priviledges, rights, etc. If I'm accessing files on the
> current, large, network, then need to do something on the server for the
> smaller network, I don't want to have to login to it, then have to login to
> the large network again the next time I need to access something there.
>
> Is there a way to set this up where I have access/rights on both networks so
> that I only have one login?
>
> The small network will always be much smaller and will never have as many
> servers or equipment. Maybe I could make the small network some type of a
> sub-network or tree in the larger network? There are only a couple of people
> that would need to access shared files between the two companies. Because
> its healthcare related companies, it must have adequate security and ensure
> that someone from one company is not getting access to something they
> shouldn't be accessing on the other company network.
>
> From the outside (web, email, etc.), the companies must appear to be
> completely separate. How hard would it be to change the Active Directory to
> make a top level network (forrest), then have each of these networks setup as
> separate trees in that forrest? Would that allow me to do what I need?
> Access both, with a single login (enterprise admin) while maintaining
> security and separation where needed? Is this even possible to do with AD
> (by modifying the current setup) or would it have to be built from scratch to
> end up that way?
>
> I'm going to be adding some new servers (Web, SQL (for web access),
> Exchange, one of which will be the new primary domain controller) to the
> larger network soon, one of which will be a dedicated web server. I will be
> hosting separte web sites for both companies on this one machine. It will be
> multi-homed. I don't see a need at this time for the users of the smaller
> network to have direct directory-level access to this machine for any reason,
> they will only need to access the web pages via a browser. But if the
> networks were connected together seamlessly, it would be a non-issue. With
> the new Exchange server, I want to host email for both companies on this one
> machine. I don't know if that will be possible if the networks aren't
> connected? I can't see how the smaller network could connect directly to the
> Exchange server via Outlook, it seems like they would only be able to use the
> webmail interface because they would otherwise not be members of that windows
> domain?
>
> Thanks for any and all information. I'm not an AD pro at all, so I need all
> the advice I can get.
Similar Threads
Linear Mode
