Ping: Windows 2000 Admins and Active Directory experts
 

My "expertise" is with Unix so I was hoping we might have some Windows 2000 domain admins here that could help me. Here is the situation. We currently have a seperate Windows NT domain that we are looking to upgrade to Windows 2000. However instead of having it in it's own domain we are going to migrate it into an exisiting Windows 2000 domain within the compnay.

The problem we are having is the security requirements for the current domain is more restrictive than the Windows 2000 domain we will be migrating to. We have been told that we can setup an OU that will handle many of our security requirements, but that account policies such as account lockouts after x number of invalid login attemtps can only be handled at the domain level.

Is that statement correct? I have been told conflicting things. If it is correct do you have any suggestions as to how we could implement a lockout policy that is more restrict than the parent domain? Thanks for any help you can offer.

Well, you could make it a child of the parent domain. Then you can setup a policy for the child domain.

example parent domain is xyzcompany.com

you could setup your restricted domian as restricted.xyzcompany.com and create a policy for that child domain.

Does that make sense?

Yeah, try the child domain suggestion - although I've never upgraded an NT 4.0 domain to a Win2k/2k3 child domain... this sounds like it will be a very difficult migration.

Is setting up a child domain much different than just setting up a completely seperate domain? I only ask because that is what we were orginally pushing for, but we got push back saying that setting up a seperate domain for our sites was overkill and too much work.

Is setting up a child domain similar or the same thing as giving a site it's own OU to set policies seperate from the domain?

pretty much along the same lines. But, in the child domain situtation you can use the user accounts accross the whole network.... It also makes sharing data and permissions more seamless. But, if it is just a developers network, I would get it seperate on the domain. Also if you main domain has some weird ass policies that might interfer with development, i would keep it seperate.

Here at my company, we have our copr domain, some child domains and then a totally seperate network for development.

btw its probably easier to setup a new domain then it would be to do the child domain thing. there is a command called movetree I think, I can't remember if it will work on NT4, but it will perserver your user accounts etc when moving accross domains.

Thanks for the information. I will take this to our guys and see what they say.