I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts.
For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade > Sent: Wednesday, April 26, 2006 10:29 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Root Place Holder justification > > > > Number "1" of these really drive me nuts and at this point I > usually start shouting. As domains do NOT limit resource > access, i.e. users in Domain "A" can access resources in > domain "B" (In fact that's the usual reason for have trusts > between domains) and together way round, how can you justify > different Security Requirments. They are in effect both > securing the same objects. > > Number "2" tends to become irrelevant if you have Exchange > because that stuffs everything back into the GC that the AD > designers took out, and you really needs GCs everywhere. > > Number "3" => Is a good reason to start rationalizing. > > Having said that when I worked for Compaq I produced a number > of designs with an Empty Root and as others have said, these > were always passed by both Microsoft and Anderson Consulting > as they were then. Personally I would like to see the > business benefit that all those extra DC's deliver. (That is > business benefit to the customer not to the server supplier > and Microsoft). > > Dave. > > P.S. Please not the above are my personal views and not those > of Stockport Council.. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim > Sent: 26 April 2006 14:56 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Root Place Holder justification > > > Your subject is your answer. They need to justify a root > domain. Is there an actual reason for it? > > There are only three reasons to have one, imho....(cut and > pasted from a google search) > > 1. Security requirements are different (password, lockout, > and Kerberos policies must be applied at the domain level). > 2. To control/limit replication (but note the recommendations > for number of objects in a domain with slow links - if the > slowest link is 56 kbps, the domain should have no more than > 100,000 users). > 3. Because you inherit a multiple domain setup. > > I question number three myself. I would rather clean it up > than continue with a past decision but I guess that depends > upon the impact to operations and the complexity of consolidation. > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Wednesday, April 26, 2006 9:37 AM > > To: ActiveDir.org > > Subject: [ActiveDir] Root Place Holder justification > > > > Does anyone have any official documentation as to the justification > > for a root place holder, pro's and con's ? > > > > Where I am - I have started at one domain and can see no reason to > > expand on that - they only have 6 DC's now in a single domain - yet > > the partner they have chosen is recomending a root place > holder with 5 > > > DC's and then 8 in the child domain (they are NOT even supplying the > > tin) and I wanted some decent amo - a little bit stronger > than schema > > and Ent admin separation. > > > > I know at DEC the concensus was the desire to eliminate and > I believe > > Guido and Wook have stated this for the past two DEC's > > > > I have searched this list and can find no relevant articles. > > > > Many thanks > > > > Regards > > > > Mark > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > ********************************************************************** > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. As a public body, the Council may > be required to disclose this email, or any response to it, > under the Freedom of Information Act 2000, unless the > information in it is covered by one of the exemptions in the Act. > > If you receive this email in error please notify Stockport > e-Services via [EMAIL PROTECTED] and then > permanently remove it from your system. > > Thank you. > > http://www.stockport.gov.uk > ********************************************************************** > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
