as long as you understand that this won't hinder domain admins from
changing things in the _msdcs.forestrootdomain.com DNS zone, then you
could go down this path and consider it an "obstacle". If you don't
trust your child DAs to handle forest-wide config data, then they
shouldn't be DAs - by using the local system account on the DC they'll
always have write access to the app partition.
However, if you still want to secure the _msdcs.forestrootdomain.com DNS
zone without write-access for any child DA, then I'd suggest to leave it
hosted only on root domain DCs.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Dienstag, 6. September 2005 12:59
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [ActiveDir] Delegating access to zone data stored in an app
partition
Scenario:
Single forest, with a placeholder root domain and 4 regional, child
domains
Single group responsible for "forest operations" and each regional
domain has their own domain admins for domain-wide tasks
Requirement:
Place _msdcs.forestrootdomain.com in a forest wide ADP but do not allow
access to that data from regional domain admins. Allow root domain DAs
and EAs access only.
Has anyone ever considered or implemented such a design?
Any supportability comments from Microsoft?
Thanks,
neil
---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
