Re: Disadvantages of working at the forest level?
- From: jwgoerlich@xxxxxxxxx
- Date: 30 Jan 2007 10:14:32 -0800
You can create two domains, one at the forest level and another for
the users and computers. The top one would be a "Dedicated Forest Root
Domain" describes a forest root domain in which only the
administrative accounts that control forest-wide administration tasks
(such as managing the schema, sites, and domains) are stored.
The first domain created in a forest is automatically assigned the
role of forest root domain. All other domains build upon the forest
root domain to define the directory hierarchy. The root domain is
crucial in an Active Directory forest. It is the home of the schema
and the configuration information. If all root domain controllers are
lost, and therefore the root domain is lost, the forest will not
operate correctly anymore.
In such an arrangement, all user, group, and computer accounts are
stored in child domains or tree-root domains. The best practices
approach to domain design dictates that the forest root domain be
dedicated exclusively to administering the forest infrastructure.
Advantages:
- Fewer administrators can make forest-wide changes. Limiting the
forest root domain administrative membership reduces the likelihood
that an administrative error will impact the entire forest.
- Easily replicated for forest backup. A small root domain can be
easily replicated anywhere on your network to provide protection
against geographically centered catastrophes.
- Never becomes obsolete. It is relatively difficult to retire or
rename the root domain, which you may need to do if your organization
changes. A dedicated root domain never becomes obsolete because it
functions solely as the forest root.
Disadvantages:
- Duplicate usernames and passwords. Though in theory there are fewer
enterprise admins, in practice many companies create two accounts for
administrators, one in each domain. This creates confusion because,
though the names are the same, the passwords and privileges are not.
- Additional hardware expenses. If the company sticks to having
dedicated domain controllers, which is a best practice, then adding a
domain means adding computers. If the DCs are not dedicated, then
adding domains will decrease the overall security posture because
running a DC on a share computer (say, a web server) makes these more
vulnerable to attack.
In the end, it depends upon the environment. I have set up Active
Directory trees both ways, with and without dedicated forest root
domain.
Regards,
J Wolfgang Goerlich
.
- References:
- Disadvantages of working at the forest level?
- From: Michael
- Disadvantages of working at the forest level?
- Prev by Date: Re: Disadvantages of working at the forest level?
- Next by Date: Re: export SID number to a text/csv file
- Previous by thread: Re: Disadvantages of working at the forest level?
- Next by thread: Re: New Day Light Savings Time (DST)
- Index(es):
Relevant Pages
|
