OK so unless you have *really* slow links between sites in various domains and a large AD database and need to not have GCs in certain locations as a result, just use all uni groups. All your DCs should be GCs as well baring my caveats there.
Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: David Lum [mailto:david....@nwea.org] Sent: Thursday, April 08, 2010 8:30 AM To: NT System Admin Issues Subject: RE: AD group types Two forests, three domains. Forest 1 has two domains...100% of our users are in Forest1\DomainB. Forest 2 is our COLO forest and there are accounts there but none are unique users (same physical users have Forest 1\DomainB accounts as well), mostly exists to have a trust with Forest2\ Domain B. Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Thursday, April 08, 2010 7:54 AM To: NT System Admin Issues Subject: RE: AD group types How many domains do you have? Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, April 07, 2010 11:14 AM To: NT System Admin Issues Subject: AD group types I'm trying to come up with guidelines for me Service Desk guys when creating group accounts. When to use Domain Local is easy, I'm less sure about when we should use Global vs. Universal. Distribution lists need to be Universal, but is there any reason in a mid-sized environment to use Global groups at all? I'm wondering if we can get away with just Domain Local and Universal groups. I have a good idea what the difference between the two groups are, I'm just not sure when I should use Global instead of Universal. I know Universal group info goes to the GC and there's some traffic involved, but with 2003 FF level it should be minimal. All comments welcome. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
