Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o)
  
   joe


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU Delegation

Boy, I just had a consultant recommend an empty root “as best practice” for a divestiture we’re doing.  Like Gil and Joe, I really don’t see the benefit (nor could the consultant name anything specifically).

 

We have a single domain and delegate OU rights based basically on an administrative team’s need to manage a group of resources, typically computers.  Users, groups and Exchange are managed centrally.  Moving things around within one domain is a whole lot easier than among domains.

 

AL

Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, January 12, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU Delegation

 

As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains.

 

For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation.

 

On the other hand, the ongoing operational cost of a two domain forest is considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains.

 

My general recommendation is to stick with a single domain if you can, and add additional domains if you need to for password policy or controlling replication traffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small.

 

But, "it depends".

 

-gil

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU Delegation

Ah good ol best practices. :)

 

What is recommended? Whatever is best for the customer of course.

 

I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive.

 

I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at.

 

We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person.

 

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, January 12, 2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU Delegation

Well, I just thought it would be best practice to consolidate multiple domains to one.  What’s recommended?

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, January 11, 2006 7:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU Delegation

 

You want to look at a couple of main points

 

1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc.

2. How do you play to do GPOs if at all.

3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to.

 

Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning.

 

 

 

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, January 11, 2006 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU Delegation

We’re in the process of consolidating 21 child domains into just one and one root.  We want to separate the divisions (domains) into different OUs.  Is there a guide or best practice out there on delegating admin permissions on OUs?  Also, we’ve got Exchange permissions to deal with too.

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits - BSG

954-602-2469

 


__________________________________
This message and any attachments are solely for the intended
recipient and may contain confidential or privileged information.
If you are not the intended recipient, any disclosure, copying, use
or distribution of the information included in the message and any
attachments is prohibited. If you have received this communication
in error, please notify us by reply e-mail and immediately and
permanently delete this message and any attachments. Thank You.

Reply via email to