I'd actually have to say that this is a battle worth
fighting because people would try to see something in AD which they shouldn't
=> a separate tree should certainly not be used simply to put an
organisational structure in place which is negative to the business in the
longrun. Neither applications which are deployed forest-wide nor the
stakeholders who are currently voting for a multi tree forest are really
gaining any added value out of this structure - all it does is looking good on
paper or a presentation-slide showing some sort of seggregation which doesn't
really exist.
As joe very well points out, there are basically no
benefits for the end-user (who couldn't care less about the name anyways) and
you'd merely have even more administrative burdon on those who have the
responsibility to keep your AD forest running.
So if you can't win the fight to keep everything in a
single domain (which more than anything else should be the first goal), I'd at
least put in the extra effort to keep all domains in a single domain tree in a
forest. Certainly a battle worth fighting.
Even better, go for a single domain and do everything via
OU structures - I've not found many good arguments recently NOT to use a
single domain.
A rare reason I did just have recently and had no argument
against was the technical neccessity to have the same logonnames
(samAccountName) for different regions of an outsourcer, due to some legacy
dependencies to a regionally split host system which used these names.
Won't go into details here, but this did actually require multiple domains
although the customer would have loved to make it all work in a single
one...
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sonntag, 31. Juli 2005 17:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multiple Domain Trees in a Single Forest Joe said: “WHY??? What do you feel
the benefit is?” In my experience, it’s been not what
*I* think the benefit is – it’s
more about what management WANTED for reason A, or reason B, or whatever whacked
business justification that they had. I’m not much into creating trees for
the heck of it. However, it does interest me to a) keep my job b) try to
convince people that this is purely a business decision, and technically I can
provide an invisible ‘separation’ if that’s what they
want. However, as in all business – there
is a time to make a decision. Fight or not. In the cases that I’ve
had to implement additional trees, I’ve allowed it to happen because it wasn’t a
battle worth fighting. However, I pushed to get the tree merged back into
the main tree as time and emotions settled. Sometimes, joe – the only benefit of
doing something that you don’t find palatable is because it’s not technically
bad enough to warrant the fight that will ensue. Rick From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I seriously dislike
multi-tree forests. They tend to confuse support admins and some programs just
aren't written properly for them and break. For instance I have the domain
joe.com, what is the DN for my configuration container? Well you would like to
assume cn=configuration,dc=joe,dc=com, however, you look at the rootdse and see
that it is actually cn=configuration,dc=someotherdomainname,dc=local. A properly
written program or script will work fine with either but that is a hell of an
assumption, I still run across scripts and programs that try to parse the
domains out to figure out DNs. When you bring in new people to work on your
environment, it is silly to have to train them on such silly decisions as it is
one more thing that they have to keep in mind that is special for your
company. The main question I
like to ask people when they propose a multiple tree forest structure[1] is
WHY??? What do you feel the benefit is? It has nothing to do with your email
address. It has nothing to do with your userPrincipalName for logon. NetBIOS
names can be A whether you have A.root.com or A.com. So what, besides
making your support staff have to work harder and recall special things is the
purpose behind having multiple trees? On the LDAP searching
part. I have seen programs that assume that the forest root DN is where you can
base a GC search and get everything in the forest. This is of course incorrect
and can cause failures in multi-tree forests. This is easily corrected by using
the null base for the full forest search. Every time I have
encountered a desire for a multitree forest it has been the result of political
infighting or an architect that really doesn't understand the product and thinks
they are getting something that they aren't. I had one guy once tell me that any
admin at the top of a domain tree automatically had full admin rights on every
domain in the tree hierarchy... I actually had to get up and walk out of the
room for a moment to decide if I really wanted to get too involved with that
deployment because heaven knows what other decisions were made on knowledge that
was also that wrong. Instead of working out implementation details, it required
a complete review of the entire architecture and to understand the end goals. A
completely different thing than what I was there
for.
joe [1] Which this is, a
disjoint namespace is a different thing. You can have two different disjoints in
the name space. The first is between the NetBIOS and DNS names of the domain -
say the domain joe.com has a NetBIOS name of UncleBob. The second is on the DNS
Suffixes used on the clients. For instance a client of bob in the domain joe.com
would normally have a FQDN of bob.joe.com but in a DNS Suffix disjoint could
have something like bob.sanfran.cali.joe.com or even
bob.somethingelse.local. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED] Hello
All, Looking to decide on
an AD domain structure Thanks! Rob |
- RE: [ActiveDir] Multiple Domain Trees in a Singl... Grillenmeier, Guido
- RE: [ActiveDir] Multiple Domain Trees in a ... Myrick, Todd (NIH/CC/DNA)
- RE: [ActiveDir] Multiple Domain Trees in a ... joe
- RE: [ActiveDir] Multiple Domain Trees in a ... Myrick, Todd (NIH/CC/DNA)
- RE: [ActiveDir] Multiple Domain Trees in a ... al_maurer
- RE: [ActiveDir] Multiple Domain Trees in a ... Al Mulnick
- RE: [ActiveDir] Multiple Domain Trees in a ... Al Mulnick