Guido,
My thoughts exactly. I always start my complaining with "It was designed with what we knew at the time.....but....if I could it again today, blah, blah".
I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design.
If only there was the do over button..:)
J
Subject: RE: [ActiveDir] Root Place Holder justification
Date: Wed, 26 Apr 2006 17:08:31 +0100
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
> I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making> the bold statement of considering collapsing them all into a single domain.There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model./Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Mittwoch, 26. April 2006 17:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justificationI would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered.
Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :(
We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50< users).
The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate.
Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood.
If I had a magic wand....I'd wish for a single domain. :)
Jef
> Subject: RE: [ActiveDir] Root Place Holder justification
> Date: Wed, 26 Apr 2006 09:56:04 -0400
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
>
>
> Your subject is your answer. They need to justify a root domain. Is
> there an actual reason for it?
>
> There are only three reasons to have one, imho....(cut and pasted from a
> google search)
>
> 1. Security requirements are different (password, lockout, and Kerberos
> policies must be applied at the domain level).
> 2. To control/limit replication (but note the recommendations for number
> of
> objects in a domain with slow links - if the slowest link is 56 kbps,
> the
> domain should have no more than 100,000 users).
> 3. Because you inherit a multiple domain setup.
>
> I question number three myself. I would rather clean it up than continue
> with a past decision but I guess that depends upon the impact to
> operations and the complexity of consolidation.
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Wednesday, April 26, 2006 9:37 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] Root Place Holder justification
> >
> > Does anyone have any official documentation as to the
> > justification for a root place holder, pro's and con's ?
> >
> > Where I am - I have started at one domain and can see no
> > reason to expand on that - they only have 6 DC's now in a
> > single domain - yet the partner they have chosen is
> > recomending a root place holder with 5 DC's and then 8 in the
> > child domain (they are NOT even supplying the tin) and I
> > wanted some decent amo - a little bit stronger than schema
> > and Ent admin separation.
> >
> > I know at DEC the concensus was the desire to eliminate and I
> > believe Guido and Wook have stated this for the past two DEC's
> >
> > I have searched this list and can find no relevant articles.
> >
> > Many thanks
> >
> > Regards
> >
> > Mark
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
