Re: Flattening a Forrest
- From: "Eric Darby" <eric@xxxxxxxxxxx>
- Date: Thu, 28 Jun 2007 08:45:56 -0400
I do actually want to start fresh as we seem to have several weird issues.
Users in child domains cannot authenticate to local resources, rogue domains
in the forest, etc. I think i'm actually going to start a new forest.
Also there are like 40 people who currently have Enterprise rights and most
people know the domain admin passwords.
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23BJvNtOuHHA.3796@xxxxxxxxxxxxxxxxxxxxxxx
I would still NOT create an additional tree...I would still go for "migrate
evrything into the root domain"
Leaving the forest root of [abcd].ent allows me to create a tree of
[abc].com and still be able to manage the other domains in the forest
while creating new default domain policies and cleaning up dead records
in DNS.
it sounds like your environment needs a cleanup and you just want to
create a new domain to start from the beginning
you can also create a new OU structure with GPOs, delegation, etc in the
forest root domain and migrate the old OU structure in the forest root
domain to the new OU structure and migrate the child domains into the OU
structure
again, there is NO valid reason to create a new tree root and do what you
are saying
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Eric Darby" <eric@xxxxxxxxxxx> wrote in message
news:eZLsilLuHHA.3480@xxxxxxxxxxxxxxxxxxxxxxx
The current forrest root uses a fqdn of [abcd].ent. I want to create a
new tree that will use [abc].com.
I need to do a staged demotion of the child domains as they are at remote
sites.
Leaving the forest root of [abcd].ent allows me to create a tree of
[abc].com and still be able to manage the other domains in the forest
while creating new default domain policies and cleaning up dead records
in DNS.
Also having the the forest root will allow me to keep a DC/GC at our NOC
for disaster recovery purposes.
Make sense now? What would you recommend?
Make sense?
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:udGtTGEuHHA.5036@xxxxxxxxxxxxxxxxxxxxxxx
explain WHY the additional root domain. what's the benefit? until now I
have not heart ANY benefit
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Eric Darby" <eric@xxxxxxxxxxx> wrote in message
news:OAaVnpDuHHA.768@xxxxxxxxxxxxxxxxxxxxxxx
Sorry if that isn't clear in my original post but thats what I plan to
do. I am leaving the forest root domain as a container. The new domain
tree will house OU's representing the domains. I will then use
user/group security and delegated permissions to manage the
environment.
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:O5SgbCCuHHA.668@xxxxxxxxxxxxxxxxxxxxxxx
child domains DO NOT offer delegated security. Why? There is not much
difference between a domain admin in a child domain or in the forest
root domain, at least security wise
OK, so you have 17 child domains and one forest root domain. WHY do
you want to trade the 17 child domains with a new tree root domain?
IMHO, if you want to consolidate, move the contents of the child
domains into the forest root domain and delegated stuff at OU level
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Eric Darby" <eric@xxxxxxxxxxx> wrote in message
news:uJxZWR$tHHA.5036@xxxxxxxxxxxxxxxxxxxxxxx
So I inherited a forest that has 17 child domains, 1 for each
regional office. After reviewing the structure, this was done more
for delegated security and not for a need to have separated
structure.
I've decided to flatten the domain and was thinking that I would
create a new domain tree, leaving the forest root intact.
Subsequently, i would demote all of the child domains and join the
servers to the new tree reducing the number of DC/DNS servers.
Just curious as to opinions on whether it is necessary to keep the
forest root (will house primary/secondary DNS) and overall thoughts.
Thanks!
.
- Follow-Ups:
- Re: Flattening a Forrest
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Flattening a Forrest
- From: Jorge Silva
- Re: Flattening a Forrest
- References:
- Flattening a Forrest
- From: Eric Darby
- Re: Flattening a Forrest
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Flattening a Forrest
- From: Eric Darby
- Re: Flattening a Forrest
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Flattening a Forrest
- From: Eric Darby
- Re: Flattening a Forrest
- From: Jorge de Almeida Pinto [MVP - DS]
- Flattening a Forrest
- Prev by Date: Re: Raise domain functional level to Server 2003, when having subd
- Next by Date: Re: Unable to add 2nd domain controller.
- Previous by thread: Re: Flattening a Forrest
- Next by thread: Re: Flattening a Forrest
- Index(es):
Relevant Pages
|
