Well I didn't say I don't see the benefit of an empty root.
I just don't see it as a generic best practice. Sometimes it makes a ton of
sense, sometimes someone needs to be slapped for bringing it up.
;o)
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Boy, I just had a
consultant recommend an empty root “as best practice” for a divestiture we’re
doing. Like Gil and Joe, I really don’t see the benefit (nor could the
consultant name anything specifically). We have a single domain
and delegate OU rights based basically on an administrative team’s need to
manage a group of resources, typically computers. Users, groups and
Exchange are managed centrally. Moving things around within one domain is
a whole lot easier than among domains. Al Maurer From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gil
Kirkpatrick As joe says, "it
depends". AD architecture is always a cost/benefit discussion, and most people
don't really understand 1) the real benefits of multiple domains, and 2) the
additional costs of running multiple domains. For instance,
"additional security" is often cited as a benefit of an empty root. An empty
root maybe provides a little additional security, but not much. The benefit
depends on your own risk evaluation. On the other hand, the
ongoing operational cost of a two domain forest is considerably higher
than a single domain forest. Additional hardware costs, additional diagnostic
complexity, and a more complicated DR situation all add to the costs of running
multiple domains. My general
recommendation is to stick with a single domain if you can, and add
additional domains if you need to for password policy or controlling
replication traffic. And if you find you have to have multiple domains
anyway, use an empty root, because the incremental cost of an additional domain
if you already have more than one is pretty small. But, "it
depends". -gil From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Ah good ol best
practices. :) What is recommended?
Whatever is best for the customer of course. I guess my question is
why one domain and one root versus just one domain? What is the purpose of the
root? I am not saying this is bad by any stretch, there are good valid reasons
for a root with other domains hanging off of it. Just curious what the decision
flow was like to do it. Hopefully it wasn't something along the lines of reading
"an empty root" is good somewhere and going for it as it is totally context
sensitive. I would say the overall
design goal, especially when Exchange is involved is to use a single domain
forest. However, if there is a good reason to add more domains, do it. Usually
when someone says they have a domain and a root they mean they have a domain and
an EMPTY root and I wonder about how the decision was arrived at.
We have had this
discussion previously on the list where some people are gung ho empty root and
some people are gung ho no-empty root and both pointing at best practices. I am
more of the does it make sense in this specific situation kind of person.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Harding,
Devon Well, I just thought it
would be best practice to consolidate multiple domains to one. What’s
recommended? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe You want
to look at a couple of main points 1. How do
you plan to delegate the permisisons, I.E. the groupings of machines, users,
etc. 2. How do
you play to do GPOs if at all. 3. How is
the administration really going to work. For instance, if you use a provisioning
system for managing users (highly recommended) you don't generally want to
delegate those to local OU admins but instead keep them in a main OU that the
provisioning system only has control to. Why one
domain and one root domain? I am not arguing one way or the other, just curious
for the reasoning. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of We’re in the process of
consolidating 21 child domains into just one and one root. We want to
separate the divisions (domains) into different OUs. Is there a guide or
best practice out there on delegating admin permissions on OUs? Also,
we’ve got Exchange permissions to deal with too. Windows
Systems Engineer Southern Wine
& Spirits - BSG 954-602-2469 __________________________________ |
- RE: [ActiveDir] OU Delegation joe
- RE: [ActiveDir] OU Delegation Rocky Habeeb
- RE: [ActiveDir] OU Delegation neil.ruston
- RE: [ActiveDir] OU Delegation Gil Kirkpatrick
- RE: [ActiveDir] OU Delegation Darren Mar-Elia
- RE: [ActiveDir] OU Delegation Grillenmeier, Guido