Re: Flattening a Forrest

Sorry if that isn't clear in my original post but thats what I plan to do.
I am leaving the forest root domain as a container. The new domain tree
will house OU's representing the domains. I will then use user/group
security and delegated permissions to manage the environment.


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:O5SgbCCuHHA.668@xxxxxxxxxxxxxxxxxxxxxxx
child domains DO NOT offer delegated security. Why? There is not much
difference between a domain admin in a child domain or in the forest root
domain, at least security wise

OK, so you have 17 child domains and one forest root domain. WHY do you
want to trade the 17 child domains with a new tree root domain?

IMHO, if you want to consolidate, move the contents of the child domains
into the forest root domain and delegated stuff at OU level

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Eric Darby" <eric@xxxxxxxxxxx> wrote in message
news:uJxZWR$tHHA.5036@xxxxxxxxxxxxxxxxxxxxxxx
So I inherited a forest that has 17 child domains, 1 for each regional
office. After reviewing the structure, this was done more for delegated
security and not for a need to have separated structure.

I've decided to flatten the domain and was thinking that I would create a
new domain tree, leaving the forest root intact. Subsequently, i would
demote all of the child domains and join the servers to the new tree
reducing the number of DC/DNS servers.

Just curious as to opinions on whether it is necessary to keep the forest
root (will house primary/secondary DNS) and overall thoughts.

Thanks!




.

Relevant Pages

  • Re: Flattening a Forrest
    ... Users in child domains cannot authenticate to local resources, ... forest root domain and migrate the old OU structure in the forest root ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... new tree that will use.com. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Flattening a Forrest
    ... so you have 17 child domains and one forest root domain. ... this was done more for delegated security and not for a need to have separated structure. ... i would demote all of the child domains and join the servers to the new tree reducing the number of DC/DNS servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Best practice for DNS between AD and NT domains
    ... child domains can be consistently configured to use the WINS servers in the ... There is no trust to the root from NT4 for security purposes. ... It looks like I can't partner forest root domain WINS server with NT4 domain ...
    (microsoft.public.windows.server.dns)
  • best dns config for new tree in forest
    ... I need to see the forest root and child domains of the old tree while making ... Should I have replication to All DNS servers in the AD forest? ...
    (microsoft.public.windows.server.dns)
  • Forest tree design
    ... Ex test.com forest root and child domains as na.test.com, ... If I install AD in forest root, I can install DNS as part of AD ...
    (microsoft.public.windows.server.active_directory)