The problem I always had with the idea of a tighter security for a root domain for admins is that it doesn't always flow down correctly for all tasks in the child domains.
IE
You have your Admins in the ROOT domain which has a tighter security policy than your child domain. Yet you can't place these users in the Domain Admins group of the child domain since it is a global group and is not accepting users from the root domain.
you can place the users in the Administrators group, but this does not get you everything in the child domain since most things are ACL'd by Domain Admins by default and not the domain's Administrator group.
So you can use these Admins with a tighter security policy to do actions that are 90% of the job because they are Administrators, but for that extra 10% you would need a child domain account without the higher security policy in the Domain Admins group.
Of course this can all be done using different ACL's and task groups and what not, but is there a a simpler way that I am missing?
Jef
> Subject: RE: [ActiveDir] Root Place Holder justification
> Date: Wed, 26 Apr 2006 16:03:13 +0200
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
>
> to have an empty forest root domain or not... (things I just thought of)
>
>
> POSSIBLES FOR "TO HAVE":
>
> *
> Large, complex and dynamic organizations
> *
> Organization with independent departments and decentralized IT departments (because of this one or more IT departments does not accept the other as being the forest root domain)
> *
> Wish to have a forest root domain that is department/region/location independent (incl. its name) (better possibilities to transfer ownership and better resistent to organizational changes)
> *
> Stronger security policies for admin accounts
>
> POSSIBLES FOR "NOT TO HAVE":
>
> *
> Organization with a centralized IT department
> *
> Static organizations
> *
> Additional costs and hardware
>
> You could have a look at the Windows Server System Reference Architecture --> http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx
> Directory Services Guide --> http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true (search for section called "Forest Root Design")
>
> my 2 cents
>
> cheers,
> jorge
>
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> ( Tel : +31-(0)40-29.57.777
> ( Mobile : +31-(0)6-26.26.62.80
> * E-mail : <see sender address>
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of Mark Parris
> Sent: Wed 2006-04-26 15:36
> To: ActiveDir.org
> Subject: [ActiveDir] Root Place Holder justification
>
>
>
> Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ?
>
> Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation.
>
> I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's
>
> I have searched this list and can find no relevant articles.
>
> Many thanks
>
> Regards
>
> Mark
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Enter the Windows Live Mail beta sweepstakes Upgrade today
