Re: Forest, Domain, OU design question
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/28/05
- Next message: ptwilliams: "Re: delegating administrative access"
- Previous message: ptwilliams: "Re: Running Schema Changes for 2000 AD migration to 2003"
- In reply to: C Hall: "Re: Forest, Domain, OU design question"
- Next in thread: C Hall: "Re: Forest, Domain, OU design question"
- Reply: C Hall: "Re: Forest, Domain, OU design question"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 28 Feb 2005 20:58:25 -0000
That's 'cause 70-217 is administering AD; AD design is 70-219 ;-)
I was going to mention there's not much on design issues - just a bit on DC/
GC placement...
-- Paul Williams http://www.msresource.net http://forums.msresource.net "C Hall" <someone@microsoft.com> wrote in message news:eFABh%23cHFHA.2648@TK2MSFTNGP14.phx.gbl... Herb, I passed the exam today, however was certainly surprised. It seemed that the exam was more focused on GPO, NT 4 DNS situations and RIS then any real situations regarding AD design. There were a couple of questions, but not that many. "Herb Martin" <news@LearnQuick.com> wrote in message news:uAHU6VIHFHA.2704@tk2msftngp13.phx.gbl... > "Chris Hall" <someone@microsoft.com> wrote in message > news:eR8W5fGHFHA.2752@TK2MSFTNGP12.phx.gbl... > > Good evening, > > > > I'm preparing for exam 70-217 and while I realize this is not a Cert > forum, > > I find this forum a much better resource to LEARN versus pass a test. With > > that in mind, we have a rather small implementation of AD in our shop and > I > > have questions on some design principles. From what I've learned thus far, > a > > new forest should be created if company abc where to acquire company 123 > and > > they wanted separate schemas or keep administration separate. > > Two primary reasons for multiple forests: > > 1) Separate Schemas > 2) Complete 'autonomy' (i.e., separtion of control) > > > Domains are > > used also to separate or decentralize administration or to establish > > separate security polices. OUs are used to delegate authority. > > Domains are REQUIRED for "diffferent security > ACCOUNT policies" (not just 'security policies') > although sloppiness is possible on any particular > question. > > Security Account policies = kerberos, password, lockout > > Domains may be required/desired if you need "complete > control" of resources, mirroring NT domain structures > (more likely temporary), and for either/both "massive > number of objects" and to "control replication" in WANS. > > Generally massive is really a LOT (upwards of 100K and > maybe a million) and WANS work fine in the same domain > in almost all cases since Sites generally do a good job > of controlling replication. > > BUT as the number of objects goes up and the WAN > bandwidth (available) goes down there are special > cases that require multiple domains. > > Also if SMTP replication is required so is a separate > domain (SMTP require it.) > > Generally, OUs though will allow for delegation of > control. > > In fact the two primary reasons for creating OUs are: > > 1) Delegation of control > > 2) Linking Group Policy > > > I realize there's no one set way to design an AD structure, but if someone > > can give me some pointers from the 'field', I'd appreciate it. > > Actually those principle (and a couple more--not many) > cover 99% of cases.) > > -- > Herb Martin > > > > > > Chris > > > >
- Next message: ptwilliams: "Re: delegating administrative access"
- Previous message: ptwilliams: "Re: Running Schema Changes for 2000 AD migration to 2003"
- In reply to: C Hall: "Re: Forest, Domain, OU design question"
- Next in thread: C Hall: "Re: Forest, Domain, OU design question"
- Reply: C Hall: "Re: Forest, Domain, OU design question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
