Exchange - Different Domain, Same Forest Users
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I think his thoughts were that having students on a separate domain (.net) provided some sort of security measure with accessing staff domain shares and the like (.org), because they would be .net users.
If he believes that the NTFS permissions don't work, then different domain / forest will do absolutely nothing. AD provides zero security, it's not that kind of thing. This is 100% a question of NTFS and share permission, nothing to do with AD at all.
The number of misunderstandings of computing basics necessary for him to think this is pretty heavy. For example...
- He has to fundamentally think AD is something that it is not. And simultaneously not know Windows basics to know filesystem and share permissions systems. All three of these things individually are extremely basic.
- He has to not trust whatever of those things he thinks is providing the security. From the description, it has to be AD. So he wants to use AD while simultaneously not believing that it works. Why would he implement it believing it would create a breach?
- He has to not understand domains and forests because there is no security or mechanism difference between them. So the separation that he's done has no effect, whatever. Everyone is open to everyone else as if there is only one domain. It's more complex to maintain, but adds no security. It adds no security in reality, but would also add no security in the weird misunderstanding world that he must have come up with because the point of the "trust" is to remove all barriers between the two.
- All of this tells us that he's not in a position to be maintaining Windows systems in a situation where security is important.
- Which in turn tells us that running Exchange in house is out of the question. That's only okay in extremely niche situations, all of which revolve around having both very good Windows Admin and Exchange Admin skills already in house and already paid for that can't be eliminated. And even then, it rarely makes sense.
- It suggests that Windows, AD, and Exchange are all inappropriate technology choices because there is a lack of understanding what they are and as none of them are likely candidates as good choices even when they are well known, the chances that they are acceptable choices when they aren't known approaches zero.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
All of this could have been avoided if I would have just double checked the boss’s work in the first place. Lesson learned.
That's one way to handle it. Another is... why is there someone in a "boss" position making decisions that he's clearly not trained to do at all and why isn't he asking people for help? As the boss, there is nothing wrong with not knowing what Windows or AD are and not understanding email systems. That's fine. But how can he be the boss while making decisions around this stuff, especially really important ones, knowing he doesn't know anything about it?
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
Once there - do you really need two domains in the same forest? If the only reason the boss setup a second domain (and the second forest) was because he thought he had to inorder for Exchange to handle emails for a second domain - you need to correct that thinking, a single Exchange server can handle a huge number of email domains.
It's deeper than this. This is correct, you need to step back. But not one pace, all the paces. What we know at this point implies that every decision along this path, not just the latest ones, was made recklessly and possibly randomly.
-
@scottalanmiller said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
Once there - do you really need two domains in the same forest? If the only reason the boss setup a second domain (and the second forest) was because he thought he had to inorder for Exchange to handle emails for a second domain - you need to correct that thinking, a single Exchange server can handle a huge number of email domains.
It's deeper than this. This is correct, you need to step back. But not one pace, all the paces. What we know at this point implies that every decision along this path, not just the latest ones, was made recklessly and possibly randomly.
Well yeah, but it's likely since the boss is making these kinds of calls/mistakes, the OP can't likely do much other than attempt to fix it or find another job. And fixing it will require the boss being OK with it being fixed.
I mean the OP could go over the bosses head and report him - but how often does that that work out in the reportee's favor? likely pretty rare.
-
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I've talked to the boss and he agreed that we adjust the trust and make them the same forest.
Could even be a single domain. Anything will work, some things are just easier.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
More than anything, it's important for you to have all of the information to understand when you are learning something good from the boss, or just learning that he's in over his head
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
Or move to Office 365, G Suite, Zoho or some other external email system.
-
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
Or move to Office 365, G Suite, Zoho or some other external email system.
LOL
