2 Seperate DC's Syncing users?

[techyphil]

We run a seperate network using the 172. range which we've setup for 1 music block. Mainly so we can test, but it also contains alot of media etc so its ideal keeping it off the main school network.

I've setup a new DELL quad core server running x64 Win 2k8 Standard but want to bulk import all existing users from the schools domain to the music domain.

Ive done looads of research into sync'ing users from 1 AD to another but it doesnt appear to be possible unless its a sub-domain in a forest.

Im also doing a cisco course so figured, perhaps I can link between the 2 seperate DC's you see and make them work like that - simply sync users and nothing else.

I might just end up having manditory profiles and just several year group users and only setup individual students that are doing GCSE's and AS/A levels...

what would you recommend?

Thank You

[FN-GM]

What will you achieve by music having there own domain?

[techyphil]

What will you achieve by music having there own domain?

Well we have 2 new technicians under a trainee contract, it's a great oportunity for them to setup a LAN and server from scratch before we put them in the drivers seat of the main DOMAIN. I learnt most of my experiance and knowledge setting up the music block and feel its a great idea to continue doing so. It's never had decent workstations, only scraps which we would normally skip.

So every 2 years they get the next load of old workstations, no money has ever been set aside for them because they don't get enough students taking on music courses.

The only new bit of kit is the server, not costing alot but would hold the music files and steam multimedia.

[FN-GM]

If want to do that I would keep it totally separate from the main network.

[SYNACK]

I don't know of any automatic way of doing this with AD. The best segmentation you could get would be a domain trust between the two I believe that you can make these one way.

You could keep it all in the same domain but add a separate network adapter on a different subnet for just the replication to run over which would isolate the actual music stations from the primary network.

[Friez]

The easiest option is to make them both the same network and have one as a second domain controller. The next easiest option is to keep them as two entire seperate networks.

However, to have a 'two seperate networks, but not really GUV' type scenario I think what you want is a trust relationship between a couple of domains. I'm a bit sketchy on the details since I've never done it before.

I don't think a trust relationship synchs users as such though but may do authentication type things for you, like I said, not my area of expertise.

[apeo]

When you say sync users, what do you actually mean? Do you mean you want to maintain 2 different directories but have them somehow update each other i.e. change 1 users detail in 1 affects the other or do you just mean a user in the other directory can access resources to the different domain. When you say domain, are you taking about 2 forests, trees..?

[Jon]

I think I would keep it to just one domain.

In Active Directory I would create an OU for the music dept. and delegate control to the techs that you want to administer it. They could add and remove computers and users as neccassary, create and link GPO's, etc. without effecting the whole of the domain, and of course importantly you could still maintain overall control.

[robk]

Interdomain (forest in this case) trust. This would allow main domain users to appear in the music dept ad, so the could be added to groups etc.

GPOs etc would still be completey seperate.

This seems to be how a number of RBCs are looking at single sign on.

RobK