Re: Parent / Child Domains / namespace

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "ptwilliams" <ptw2001@xxxxxxxxxxx>
• Date: Wed, 13 Apr 2005 17:34:21 +0100

---

> I have read that most recommended creating a "mysite.com" as your forest
> and domain and making a "corp.mysite.com" for your corporate office and
> one for each extra external office. At what size of a setup would this be
> recommended?

This is not good information. This is a bad design idea. The best
practices (and experience) dictate that fewer domains as possible is best.
Also, try and make your directory as flat as possible.

There are only a small number of reasons for implementing additional
domains, the rest are usually political and for the wrong reasons.
Differing security settings such as password policies, kerberos policies,
etc. are one; governing laws are another, i.e. a certain country requires
that it's data must be held in a domain in this country, etc.

Security, via the all powerful accounts only residing in the root is no
obsolete due to elevation attacks being quite easy.

In general, you should try and have a single-domain forest. Obviously,
there are often needs for an empty root and a small number of child domains,
but you should not be looking at a domain per site.


> I have 20 locations total (including corporate), however only corporate
> houses the servers. The branch locations are so small that it isn't worth
> the cost of putting a server at each one. However we may choose this road
> later, so I want to implement this so we can easily go that route later.

One domain, twenty sites. If you increase the number of users at a site
later, you can add a DC to that site (for the existing domain) if necessary.
Logically configuring your directory into sites is a way of reducing WAN
traffic, etc. This is best.


--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/


.

---

• References:
  • Parent / Child Domains / namespace
    • From: ChrisNA662

• Prev by Date: Re: trying to uninstall AD from a 2003 Machine
• Next by Date: Re: can you make someone temporary desktop administrator?
• Previous by thread: Parent / Child Domains / namespace
• Next by thread: trying to uninstall AD from a 2003 Machine
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Lost in space ... > My plan is to have empty root. ... > which will act as DNS servers. ... >> one reverse zone for this otherwise define 4 reverse zones for the ... (microsoft.public.windows.server.dns) New Version of the Windows Installer for NTP available ... For every country a set of five servers has been defined by me. ... If a country does only have one or two pool servers available, I used those and three neighbor country servers. ... Included in this Installer is a brand new version of NTP, taken from the October 16 tarball. ... (comp.protocols.time.ntp) Re: Installing Exchange servers in the Root domain ... I was ignored and the consultants are still suggesting that ... we place the servers in the empty root. ... >>I designed the empty root for just what you mentioned. ... > Ah, consultants. ... (microsoft.public.exchange.setup) Re: Query: Linux training for support-desk and admins ... on 200 or 300 servers in various places around the country. ... Our support ... though quick at picking things up as and when we find something ... (uk.comp.os.linux) Re: How To Deal With The Microsoft Scam ... >> I thought I was the only one getting those damn MS Update and Patch ... are also open source perl based products which act as proxy servers -- DSPAM ... As to point about a free internet -- this type of activity is specifically ... outlawed in virtually every country. ... (alt.computer.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-04