Re: AD design question

Makes sense.

There are a few reasons here I can think of-

Controlling replication scope (accounts from Asia don't need to be in North
America)
Password Policies
Empty Root
Distribution of authority
....

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02139146-5688-4134-AEB8-E671D0CA57AB@xxxxxxxxxxxxxxxx
Yes this is correct. There aren't many organisations in Australia that
have more than a few thousand people and I work in Canberra so they are
almost always federal government with a centralised (if not outsourced)
administration model. This is why a lot of the guidance from MS isn't of
particular use since they are almost always talking about organisations
with sites all over the place and 10,000 people or whatever. Even the
Branch Office Deployment Guide design is huge overkill for anything I've
ever done.

Even so, my AD design methodology has always been heavily weighted on
simplicity. I'd need a pretty good reason to add an extra Domain when one
could do the job.

"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message
news:eD05L2yjHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx
You have not worked with large organizations then that are highly
geodistributed. This is a pretty normal model in them.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F463C50E-CC74-4D9D-9F04-3680ED52E404@xxxxxxxxxxxxxxxx
I am in complete agreement with Allan. The cases where you put in a root
domain for the purposes of enterprise administration are very rare and
specialised.

I've been putting in ADs for 7 years and have never put in multiple
Domains let alone multiple forests. Usually becuase the administration
model of the organisation has been centralised.

"Allan Jacobs" <allanjnyc@xxxxxxxxxxx> wrote in message
news:40291832-0CA7-46F2-B71F-32779DEE6744@xxxxxxxxxxxxxxxx
Hi Phil,

I may be in the minority, but I have never seen the value of the empty
root domain, except to solve political issues (which division should
"own" the root) or for VARs and consultants to sell more hardware and
server licenses. In order to solve most security concerns a well
constructed delegation model should be created. Keep membership in the
domain admins group very small. Carefully construct an OU structure.
Intelligently create shares. If you don't design for security, two
extra DCs in an empty root will do little good.

Allan Jacobs
<phil2627@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.


With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.


If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.








.

Relevant Pages

  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question....again
    ... security that requires separate forests. ... In the forest to gain control over the entire forest. ... Note that the problem isn't just with "the administrator" account. ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.win2000.active_directory)
  • Re: AD design question
    ... more than 100x more staff and 100x more students. ... I would just go down the path of a single domain/single forest model. ... not quite certain what you mean by "secure the administrator account". ... shouldn't even be using the builtin admin account after you setup the ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
Loading