RE: [ActiveDir] Planning for the future
Many thanks, everybody. The "big meeting" is today at 1:30 CDT. The determining factor, I believe, will probably be cost right now. So, we will probably follow the advice of some folks here and just make them an OU. If they get sold, we'll get the buyers to pay for the migration :) But, of course, I don't decide those things. The players at the meeting do. Thanks again for your assistance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Planning for the future
A separate forest for a 30-user environment that may (or may not) be sold at some point in the future? What would that give you -except unneeded complications, over-engineering and heart burns? Just dump the objects into an OU and be done with it. If you end up selling that entity later, you've only got 30 (or maybe 50 now) users to migrate. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Thu 7/13/2006 3:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Planning for the future If you create a new domain in your forest for this requirement, and in the future they are bought by another company, then your only supported option is to migrate to the new or existing forest on the other side. It is probably easier, and safer, to create a new forest with an external trust. When they are then sold, you simply agree a date and time when the trust is severed and the comms equipment decomissioned. --Paul - Original Message - From: "Larry Wahlers" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 12, 2006 6:18 PM Subject: [ActiveDir] Planning for the future > Esteemed colleagues, > > We have a radio station that is currently part of our denomination that > we want to finally put on our network. They are located about 20 miles > from our headquarters. However, there has been talk for many, many years > about selling off this radio station, but that hasn't come to pass yet. > > My question is, if we put them in their own domain in our existing > forest, would that make it easier to get them into their own forest if > they should some day no longer be a part of us? If not, what's the best > way to plan for a possible future in which these 30 people might no > longer be working for us? > > Many thanks in advance. > > -- > Larry Wahlers > Concordia Technologies > The Lutheran Church - Missouri Synod > mailto:[EMAIL PROTECTED] > direct office line: (314) 996-1876 > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Planning for the future
If you create a new domain in your forest for this requirement, and in the future they are bought by another company, then your only supported option is to migrate to the new or existing forest on the other side. It is probably easier, and safer, to create a new forest with an external trust. When they are then sold, you simply agree a date and time when the trust is severed and the comms equipment decomissioned. --Paul - Original Message - From: "Larry Wahlers" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 12, 2006 6:18 PM Subject: [ActiveDir] Planning for the future Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Planning for the future
I can respect that. And I agree with some of that logic to an extent. I don't find migrations to be terribly complex, but I have to question what you're really migrating with 30 users. Email? Nope, that was held by the parent company. I need to get a PST (easily done with tools readily available that drops them into PST files nice and neat). Security principals? For what? What exactly are you going to access when you sever the ties? Do you have a file server? Hmm... again, a migration is pretty easy and well documented and for thirty users is a few hours work. Not much more or less than you'd likely spend unhooking the data and systems for the cast off if you went with multiple forests. In the meantime you have integration issues (Exchange would be particularly difficult to deal with in that environment leading me to my thoughts of migration later vs. separate forests now) and you likely have given access to other shared resources to the users while they were part of the company. Otherwise, why bother with the trusts at all? DNS is a PITA and the worst part is that nobody ever pays as much attention to the other forest or the DNS after you've moved on and been promoted or reassigned to some other project. In my experience, the times I've seen this approach it was worse operationally than I believe it should be. They were still the red-headed step children and received very little benefit from being joined in the first place. This was after walking into sites that had gone this route and then seeing it years after the decisions. Similar thinking was used to get there, but the people that made the decisions were long long gone. For all of that, I think it best to keep them part of the organization and not worry about three years down the road for what the business *might* do. If that time comes, deal with it as a migration/divestiture vs. a separate forest that you've been running for them. I think that results in lowered cost, better service and not much more dificulty divesting later than if you had given them a separate forest. On 7/12/06, Matt Hargraves <[EMAIL PROTECTED]> wrote: I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction. Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain. I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire. On 7/12/06, Al Mulnick < [EMAIL PROTECTED]> wrote: I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that "might" happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small
Re: [ActiveDir] Planning for the future
I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction. Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain. I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire. On 7/12/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that "might" happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. On 7/12/06, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote: an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40- 29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.-- Larry Wahlers Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED] direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Planning for the future
I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that "might" happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. On 7/12/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40- 29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.--Larry Wahlers Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Planning for the future
an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Wed 2006-07-12 19:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Planning for the future Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
Re: [ActiveDir] Planning for the future
Independent forest, trust relationship.On 7/12/06, Larry Wahlers <[EMAIL PROTECTED] > wrote:Esteemed colleagues,We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many yearsabout selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest ifthey should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.--Larry WahlersConcordia TechnologiesThe Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
