Re: AD design question

I could pretty easily be convinced to come work in Canberra if someone would pay me well. I wouldn't miss giant orgs in the slightest. :)


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jeremy wrote:
Yes this is correct. There aren't many organisations in Australia that have more than a few thousand people and I work in Canberra so they are almost always federal government with a centralised (if not outsourced) administration model. This is why a lot of the guidance from MS isn't of particular use since they are almost always talking about organisations with sites all over the place and 10,000 people or whatever. Even the Branch Office Deployment Guide design is huge overkill for anything I've ever done.

Even so, my AD design methodology has always been heavily weighted on simplicity. I'd need a pretty good reason to add an extra Domain when one could do the job.

"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message news:eD05L2yjHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx
You have not worked with large organizations then that are highly geodistributed. This is a pretty normal model in them.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F463C50E-CC74-4D9D-9F04-3680ED52E404@xxxxxxxxxxxxxxxx
I am in complete agreement with Allan. The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised.

I've been putting in ADs for 7 years and have never put in multiple Domains let alone multiple forests. Usually becuase the administration model of the organisation has been centralised.

"Allan Jacobs" <allanjnyc@xxxxxxxxxxx> wrote in message news:40291832-0CA7-46F2-B71F-32779DEE6744@xxxxxxxxxxxxxxxx
Hi Phil,

I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues (which division should "own" the root) or for VARs and consultants to sell more hardware and server licenses. In order to solve most security concerns a well constructed delegation model should be created. Keep membership in the domain admins group very small. Carefully construct an OU structure. Intelligently create shares. If you don't design for security, two extra DCs in an empty root will do little good.

Allan Jacobs
<phil2627@xxxxxxxxx> wrote in message news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.


With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.


If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.






.

Relevant Pages

  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... extra DCs in an empty root will do little good. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... Windows Server MVP - Directory Services ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
Loading