As joe says, "it depends". AD architecture is always a
cost/benefit discussion, and most people don't really understand 1) the real
benefits of multiple domains, and 2) the additional costs of running multiple
domains.
For instance, "additional security" is often cited as a
benefit of an empty root. An empty root maybe provides a little additional
security, but not much. The benefit depends on your own risk
evaluation.
On the other hand, the ongoing operational cost of a two
domain forest is considerably higher than a single domain forest.
Additional hardware costs, additional diagnostic complexity, and a more
complicated DR situation all add to the costs of running multiple
domains.
My general recommendation is to stick with a
single domain if you can, and add additional domains if you need to for password
policy or controlling replication traffic. And if you find you have to have
multiple domains anyway, use an empty root, because the incremental cost of an
additional domain if you already have more than one is pretty
small.
But, "it depends".
-gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :)
What is recommended? Whatever is best for the customer of
course.
I guess my question is why one domain and one root versus
just one domain? What is the purpose of the root? I am not saying this is bad by
any stretch, there are good valid reasons for a root with other domains hanging
off of it. Just curious what the decision flow was like to do it. Hopefully it
wasn't something along the lines of reading "an empty root" is good somewhere
and going for it as it is totally context sensitive.
I would say the overall design goal, especially when
Exchange is involved is to use a single domain forest. However, if there is a
good reason to add more domains, do it. Usually when someone says they have a
domain and a root they mean they have a domain and an EMPTY root and I wonder
about how the decision was arrived at.
We have had this discussion previously on the list where
some people are gung ho empty root and some people are gung ho no-empty root and
both pointing at best practices. I am more of the does it make sense in this
specific situation kind of person.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, January 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well, I just thought it
would be best practice to consolidate multiple domains to one. What’s
recommended? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe You want
to look at a couple of main points 1. How do
you plan to delegate the permisisons, I.E. the groupings of machines, users,
etc. 2. How do
you play to do GPOs if at all. 3. How is
the administration really going to work. For instance, if you use a provisioning
system for managing users (highly recommended) you don't generally want to
delegate those to local OU admins but instead keep them in a main OU that the
provisioning system only has control to. Why one
domain and one root domain? I am not arguing one way or the other, just curious
for the reasoning. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of We’re in the process of
consolidating 21 child domains into just one and one root. We want to
separate the divisions (domains) into different OUs. Is there a guide or
best practice out there on delegating admin permissions on OUs? Also,
we’ve got Exchange permissions to deal with too. Windows
Systems Engineer Southern Wine
& Spirits - BSG 954-602-2469 __________________________________ |
- RE: [ActiveDir] OU Delegation Gil Kirkpatrick
- RE: [ActiveDir] OU Delegation al_maurer
- RE: [ActiveDir] OU Delegation joe
- RE: [ActiveDir] OU Delegation Rocky Habeeb
- RE: [ActiveDir] OU Delegation Gil Kirkpatrick
- RE: [ActiveDir] OU Delegation al_maurer
- RE: [ActiveDir] OU Delegation Gil Kirkpatrick
- RE: [ActiveDir] OU Delegation neil.ruston
- RE: [ActiveDir] OU Delegation Gil Kirkpatrick