Re: AD 2003 - Empty root or Not!

From: Mike (Mike_at_discussions.microsoft.com)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 06:05:33 -0700

Cheers for you comments.. It's a interesting one..

Having a generic empty root is a cool idea for future acquisitions / changes
etc but raises the issue of arguably over complicating the AD design.. I want
to keep things simple and have a contiguous namespace etc.. Future
acquisitions could be handled via forest trusts etc...

The only real advantage (which is a valid one - but I would like some more
thoughts) of a dedicated root therefore is to segregate the EA / Schema
forest roles from other admins etc…

More thoughts and comments welcome!

Mikey.

"Glenn L" wrote:

> Its a good question. I don't even know where I stand on this one anymore.
>
> Pros
> Seperates the sensitive enterprise admin and schema admin groups from the
> rest of the forest.
> Provides a convenient placeholder domain to move objects into and out of
> during migration and restructuring activities.
> DNS namespace politics. lets say you are contoso.com and you aquire
> nwtraders.com (notice I have been trolling practice exams lately ;-)
> I suspect the nwtraders.com executives would raise an eyebrow if they were
> to be migrated into nwtraders.contoso.com child domain.
> If you had a placeholder root domain....lets say corp.com
> Then you would have contoso.corp.com, and you could migrate nwtraders into
> nwtraders.corp.com Nice and pretty right.....
>
> Cons
> You must maintain 2 computers and 2 Windows server licenses.
> forest wide sensitive groups in a production domain. Future divisions that
> may require domains of their own may be adverse to that level of trust in
> your domain administrators.
> DNS namespace managment.
> Take my example.
> As an alternative to nwtraders.contoso.com, you could create a new tree in
> the forest called nwtraders.com (actually it would have to be slightly
> different to get trusts setup and to use ADMT to perform the migration)
> Now you have two seperate namespaces you must manage and setup properly to
> create seamless name resolution throughout your forest.
> Of course it is possible to setup multiple tree roots even if there is an
> empty placeholder root domain. I can't think of a good reason to have that.
>
> my 2c :-)
>
> --
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "Mike" <Mike@discussions.microsoft.com> wrote in message
> news:FA60B8D8-7C62-4E28-8D9E-0352B7B8C727@microsoft.com...
> > Guys,
> >
> > I'm trying to bottom out the definitive answer to creating a dedicated
> root
> > domain OR not.
> >
> > Having an empty root domain seems to be AD / Win 2000 design best
> practice,
> > however since 2003 the idea appears to have faded away..
> >
> > I'm looking at creating a pristine forest for the migration of 4 MUD's
> (2200
> > users approx..) and a couple of Exchange 5.5 sites.. The organisation is
> > largely centrally managed by a 3rd party however has a few in-house teams
> > responsible for their own Wintel systems..
> >
> > So, for my new pristine forest should I go for a dedicated root (which
> will
> > in turn will be namespace root for subsequent children domains, which I
> plan
> > only to create one). Hardware costs aside, (the cost of 2 low end servers)
> > what else is holding me back? Right now I see it as a sensible step to
> secure
> > the EA and Schema forest wide groups.
> >
> > If I didn't go for a dedicated root (as I've read a few people are
> starting
> > to do) how should you secure the forest wide groups? OR is the back to the
> > point that your Domain Admin group should contain few users and you
> delegate
> > control over OU's for specific functionality!
> >
> > Comments and thoughts would be most appreciated!
> >
> > Mikey.
>
>
>

Relevant Pages

  • Re: AD 2003 - Empty root or Not!
    ... Seperates the sensitive enterprise admin and schema admin groups from the ... If you had a placeholder root domain....lets say corp.com ... forest wide sensitive groups in a production domain. ... DNS namespace managment. ...
    (microsoft.public.win2000.active_directory)
  • Re: Root DC needed in Test Environment
    ... Schema since it isn't the root of the forest, but you shouldn't need to have ... MVP - Directory Services ... I have an article on building a test lab from a production lab, ... We have a root domain and 3 sub domains in our forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory - security boundaries
    ... It doesn't actually make sense that the forest is the ONLY ... administrators in the internal domain (which is the forest root) will ... wouldn't be able to grant themselves access to resources in the other ... administrators of the standard domain can't grant themselves access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Transfer forest root role to another DC?
    ... There is no forest/domain root DC in your case. ... Make sure the second DC is also Global catalog server and DNS server ... In your case i would install a 3rd DC/GC/DNS as VM before demoting the older one, so you have still 2 DCs before you remove the old one. ... Physical server which is forest and domain root dc ...
    (microsoft.public.windows.server.active_directory)
  • Re: Transfer forest root role to another DC?
    ... There is no forest/domain root DC in your case. ... Make sure the second DC is also Global catalog server and DNS server ... In your case i would install a 3rd DC/GC/DNS as VM before demoting the older one, so you have still 2 DCs before you remove the old one. ... Physical server which is forest and domain root dc ...
    (microsoft.public.windows.server.active_directory)