Re: Disadvantages of working at the forest level?


"Michael" <admin@xxxxxxxxxxxxx> wrote in message
news:u6MSnJJRHHA.2172@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Should a domain always be created below the forest level?
Or can we work at the forest level if we want?

The Forest is ALL domains of that forest, so we must presume
you are using the phrase "forest level" to mean the "Root Forest
Domain" ( or perhaps an additional "Tree Root".)

You can run a forest perfectly fine under many/most conditions
with a single domain.

There are specific reasons for creating domains but most small
and medium size companies can do just fine with a single domain
in their forest.

Just looking for reasons/advantages/disadvantages.

We would have to write the equivalent of about a chapter in
a book to give that full coverage, all without knowing your
situation.

Generally, domains are created for some of these SPECIFIC reasons:

1) (near) Full control by other admins *
2) Mirror NT Domains (because we always did it that way, or temporarily
*
during migration)
3) Massive number of objects ** (seldom needed)
4) Control replication in very poor replication situations (seldom
needed) **
5) Different account security policies -- password, lockout, kerberos
6) Anything else that causes you to need a different forest***

* #1 and #2 are really very similar and related in many cases.

** #3 and #4 are related in that AD can support 10 Million users or more
in a separate domain, and it can usually replicate efficiently over slow
lines,
but if the line is slow/poor/error_prone etc and the number of objects is
LARGE then this is a balance, more objects require better lines to "stay in
the same domain" (at some point.)

#4 might also be caused by heavily filtered WAN firewalls that disallow RPCs
but do allow SMTP -- SMTP replication requires separate domains.

*** Main reasons for creating a forest are:

1) Complete autonomy (truely separate security boundaries and control)
2) Different schemas

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


.

Relevant Pages

  • first exchange installation - where?
    ... There is an AD forest. ... Child domain A plans to setup an Exchange server, ... Exchange installation on forest level prerequisite for further ...
    (microsoft.public.exchange.setup)
  • RE: ADMT Ver3
    ... Windows 2003 Forest Level ... Domains in one forest on 2008 servers. ... ERR2:7621 Failed to move source object 'CN=a'. ...
    (microsoft.public.windows.server.migration)
  • Re: Policy question
    ... You should create GPO at Forest level that is A and it will be ... the replication shedule manually also. ... DomainA and DomainB are both at the same level in the forest (A created the ... If I want to modify a policy that will affect all 3 domains, ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Best to Handle an Acquisition?
    ... If both companies are at least at Win2003 forest level, you can establish forest trust between the companies. ... The difference between forest and domain trusts is that forest trusts encompasses all domains in a forest, while domain trust is just between two domains. ... Another tree means that the new domain name will not be in contigous namespace as the root domain (child domain, ie it will be completely new domain name). ...
    (microsoft.public.windows.server.general)
  • Re: Active Directory - security boundaries
    ... If you are just replicating NOS info around, it doesn't have the churn the other data does and there isn't much to it so it would considerably lighten the replication load. ... Joe Richards Microsoft MVP Windows Server Directory Services ... When Microsoft moved to the forest model, the domain became a so so policy boundary and so so replication boundary. ...
    (microsoft.public.windows.server.active_directory)
Loading