RE: [ActiveDir] Design Question

[Noah Eiger]

Thanks again. Yep, I figured the guide was aimed at larger groups. I just wanted to check out the "Caddilac" version and see what parts applied to us, if any. Frankly one of the other things that made me sort of doubt the single-domain model was the number of posts on this list that say something like: "I have four domains and an empty root...."   Thanks again. I will KISS.   -- nme From: Arthur Freyman [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Design Question You’re absolutely right. Although there is a fairly compelling argument which states that it is best security practice to turn off cached logons. Additionally, it somewhat limits the value of the ability to logon to the workstation, if the user cannot perform their normal business functions, depending of what those may be. Of course its better then nothing..   Arthur Freyman   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, October 12, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Design Question   Unless specifically turned off, your “disconnected” branch office user should still be able to logon using cached credentials.  Of course, other network resources may not be available.   Mike Thommes   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arthur Freyman Sent: Wednesday, October 12, 2005 2:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Design Question   I’ve had to grapple with this issue a number of times when I designed AD implementations. It is basically an argument of a centralized vs distributed model. There are obvious pros and cons to each approach, but ultimately it comes down to reliability and speed of links to your branch offices. You could improve your management and security by not having DCs in the branch offices, but you have to realize that if the link is down, your branch office people won’t be able to login. This could be particularly a significant factor if you implemented single sign on and you depend on AD for access to other applications. You should perhaps look at statistics of downtime for your WAN links and see if you can put up with branch offices being down for that period of time.     Arthur Freyman   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Design Question   That's a good question on the number of domains in the Branch Office Guide -- it seems to be overkill unless they all have separate and independent IT departments or if there a requirement for a separate password policy or something else bizzarre.  I suppose you could deploy a DC to each branch, and especially if you have a slow, unreliable WAN link such as a fractional T-1 to each location and with 10 branches you should be OK using 10 extra DCs.    Regards,   Chuck Gafford Systems Architect   Unisys Imagine It.  Done.   -----Original Message----- From: Noah Eiger <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: Wed, 12 Oct 2005 11:49:43 -0700 Subject: RE: [ActiveDir] Design Question Thanks, all. Good to see confirmation of the few-domains-as-possible concept.   Yes, I was planning to deploy a DC to each branch. Some are not as physically secure as I would like, though I realize that security is somewhat a function both of access and intent. I don't see a lot of latter -- but maybe that is what we all thought on September 10. Does that change the model?   -- nme   P.S. Why does MS still recommend so many domains in the Branch Office Guide? Is it for replication load?   From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Design Question The same reasons apply to this situation as those of a much larger organization: deploy multiple domains if you need x, y, and z functionality.  Otherwise try to keep it to fewer domains.   Are there are any compelling reasons to deploy multiple domains? Are you going to deploy a DC to each branch office?    -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, October 12, 2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Design Question Hi -   I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible.   My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root?   Thanks.   -- nme