Re: Reasons for Empty (headless root) Root
- From: Chelis Guifoyle <ChelisGuifoyle@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 May 2007 18:58:02 -0700
When I say more security I mean in that, the forest in itself is protected by
the fact that certain active security principals would be moved off into a
separate boundary being that child domain. These principals that would
normally have had free reign to do things in the root, would now be isolated
to only do things in their domain vs affecting the entire forest via the
root....
Do you disagree with me by saying a domain is also a security boundary in
that the administrative control is cut off from other domains such that it
cannot directly affect them?
I guess one could argue about how the root (er initial domain) was
administered, but that's beside the point....
What is comes down to is our company started a 2nd domain based on
geographical boundaries. This child has its own administrative control to a
degree... their staff administer their own domain for the most part. Now it
comes down to for our team, since we've been on the root from the beginning,
maybe we should follow suit and base it geographically, move everyone off
into a new child, empty out the root, and create only specific accounts in
the root...
What do you think?
"Joe Richards [MVP]" wrote:
You are wrong if you think it gives more security. The forest, not the.
domain is the security boundary, what security benefit do you get moving
objects around within the boundary?
My opinion on whether it is good or not depends on the company I am
talking to and their states goals/desires. Most companies, I think it is
a bad idea, in fact, I think they should have a single domain forest.
Other companies, notably some of the Fortune 5 companies I have worked
on I wouldn't have implemented it any other way. Again, depends on the
company and whether it makes sense at that company.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:
What is your opinion on why its good vs bad? I'm curious to hear more on the
topic...
The only thing I see is moving users off the forest root which would allow
for somewhat greater security of the forest/enterprise. Am I on the wrong
track here?
Thanks!!
"Joe Richards [MVP]" wrote:
This can be debated for days, it depends entirely on the company and the
goals and what kind of administrative overhead a company is willing to
accept for an empty root. In general smaller companies don't usually do
it but larger companies are more likely to do it but again, it is all
based on things specific to those companies. There is no security
benefit of doing this.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:
What are the pros and cons or why/why nots for moving off the root domain and
into a child? We already have 2 childs based off geographical means, our
first domain, where most users first originated are still on root. Ideally
we'd like to move these original users to a new domain that is more akin to
the geographical standard already set.
Thanks in advance.
- Follow-Ups:
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- References:
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- Prev by Date: Re: Add 2000 Server to 2003 Domain?
- Next by Date: Re: Reasons for Empty (headless root) Root
- Previous by thread: Re: Reasons for Empty (headless root) Root
- Next by thread: Re: Reasons for Empty (headless root) Root
- Index(es):
Relevant Pages
|
