Re: AD 2003 - Empty root or Not!
From: Glenn L (the.only_at_gmail.com)
Date: 10/21/04
- Next message: Rajesh Kumar: "RE: Enable Remote Desktop and Firewall"
- Previous message: Serge: "Re: Remove GPO from member server that will not join the domain an"
- In reply to: Mike: "AD 2003 - Empty root or Not!"
- Next in thread: Mike: "Re: AD 2003 - Empty root or Not!"
- Reply: Mike: "Re: AD 2003 - Empty root or Not!"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 21 Oct 2004 03:26:19 -0700
Its a good question. I don't even know where I stand on this one anymore.
Pros
Seperates the sensitive enterprise admin and schema admin groups from the
rest of the forest.
Provides a convenient placeholder domain to move objects into and out of
during migration and restructuring activities.
DNS namespace politics. lets say you are contoso.com and you aquire
nwtraders.com (notice I have been trolling practice exams lately ;-)
I suspect the nwtraders.com executives would raise an eyebrow if they were
to be migrated into nwtraders.contoso.com child domain.
If you had a placeholder root domain....lets say corp.com
Then you would have contoso.corp.com, and you could migrate nwtraders into
nwtraders.corp.com Nice and pretty right.....
Cons
You must maintain 2 computers and 2 Windows server licenses.
forest wide sensitive groups in a production domain. Future divisions that
may require domains of their own may be adverse to that level of trust in
your domain administrators.
DNS namespace managment.
Take my example.
As an alternative to nwtraders.contoso.com, you could create a new tree in
the forest called nwtraders.com (actually it would have to be slightly
different to get trusts setup and to use ADMT to perform the migration)
Now you have two seperate namespaces you must manage and setup properly to
create seamless name resolution throughout your forest.
Of course it is possible to setup multiple tree roots even if there is an
empty placeholder root domain. I can't think of a good reason to have that.
my 2c :-)
-- Glenn L CCNA, MCSE 2000, MCSE 2003 + Security "Mike" <Mike@discussions.microsoft.com> wrote in message news:FA60B8D8-7C62-4E28-8D9E-0352B7B8C727@microsoft.com... > Guys, > > I'm trying to bottom out the definitive answer to creating a dedicated root > domain OR not. > > Having an empty root domain seems to be AD / Win 2000 design best practice, > however since 2003 the idea appears to have faded away.. > > I'm looking at creating a pristine forest for the migration of 4 MUD's (2200 > users approx..) and a couple of Exchange 5.5 sites.. The organisation is > largely centrally managed by a 3rd party however has a few in-house teams > responsible for their own Wintel systems.. > > So, for my new pristine forest should I go for a dedicated root (which will > in turn will be namespace root for subsequent children domains, which I plan > only to create one). Hardware costs aside, (the cost of 2 low end servers) > what else is holding me back? Right now I see it as a sensible step to secure > the EA and Schema forest wide groups. > > If I didn't go for a dedicated root (as I've read a few people are starting > to do) how should you secure the forest wide groups? OR is the back to the > point that your Domain Admin group should contain few users and you delegate > control over OU's for specific functionality! > > Comments and thoughts would be most appreciated! > > Mikey.
- Next message: Rajesh Kumar: "RE: Enable Remote Desktop and Firewall"
- Previous message: Serge: "Re: Remove GPO from member server that will not join the domain an"
- In reply to: Mike: "AD 2003 - Empty root or Not!"
- Next in thread: Mike: "Re: AD 2003 - Empty root or Not!"
- Reply: Mike: "Re: AD 2003 - Empty root or Not!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
