We are at about the same point in a migration that involves several state agencies. It is extremely important that those pressing for a separate forest understand the reasons for doing so. In our environment the issues are: 1. Administrative trust (A forest root is administrated from a single point, and the enterprise administrators have authority throughout the forest) and, 2. The nature of a domain (or tree of domains) within a forest as a security perimeter. So far, it appears that a forest has the same security perimeter as an NT40 domain, while a W2K domain in a forest has a less robust security perimeter than an independent forest or an NT40 domain.
There are definitely more administrative costs associated with administrating multiple forests than for administrating a single forest/single root. Here are a couple of links that discuss the security issues: The Aelita white paper in HTML format is here: <http://www.w2knews.com/rd/rd.cfm?id=020211TP-Aelita_WhitePaper&mid=11822333 72458956> A white paper from Microsoft: http://www.microsoft.com/WINDOWS2000/techinfo/planning/activedirectory/addel admin.asp Bob Griesel OFM Information Services -----Original Message----- From: Ellis, Debbie [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 2:31 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] We have designed our AD Structure and are about to start migration. We have some companies that are pressing really, really hard to create their own forest. Our design is for one forest with multiple trees. We can create trusts for these forest, and use MMS but want to discourage the companies from creating their separate forest. I know the cost from the technical and Microsoft standpoint. I wanted to get feedback form the ones that actually use separate forests and the problems you have encountered and the unexpected costs. thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
