RE: [ActiveDir] Back to Basics - Design Pros and Cons
I would disagree with the point that you need to be Domain Admin in order to administer servers in a domain. This is not true - I would strongly recommend against granting Domain Admin to a server administrator in a domain solely for that purpose. The user only needs to be an Administrator of that server - this is not the same as, nor does it require, Domain Admin priviledge. This can be done with a gpo which adds a particular server admin group to the local admin group on the relevant server. I completely agree. But I've also seen enough environments in which that's not done, that I prefer to err on the side of caution and assume that people will ultimately end up in the DA group, regardless of other options. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Ben Machin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 2:44 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Back to Basics - Design Pros and Cons I would disagree with the point that you need to be Domain Admin in order to administer servers in a domain. This is not true - I would strongly recommend against granting Domain Admin to a server administrator in a domain solely for that purpose. The user only needs to be an Administrator of that server - this is not the same as, nor does it require, Domain Admin priviledge. This can be done with a gpo which adds a particular server admin group to the local admin group on the relevant server. I would however still agree with the point that an empty root should be as empty as possible. As above, to keep rights at a minimum requires a significant admin overhead which could easily be overlooked compromising the security of the root domain. my 2p worth... - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 11, 2002 6:23 PM Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers
RE: [ActiveDir] Back to Basics - Design Pros and Cons
You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
There's a reasonably good whitepaper from Lucent. http://www.lucent.com/knowledge/documentdetail/0,1983,inContentId+0900940380004a2f-inLocaleId+1,00.html It's not recent, but many of the concepts are still applicable. Tony -- Original Message -- From: Pelle, Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 11 Dec 2002 09:05:00 -0500 Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I believe its in some of Microsoft's docs. The biggest reason to do it is to be able to protect the Enterprise Admins and Schema Admins groups. Any domain admin in the domain which houses those two groups could add themselves to the groups. Therefore, if you restrict who's in that domain to begin with, you're able to keep people from adding themselves. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Roger, Do you - Or anyone reading this have any good documentation on the empty root concept? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons You're really looking at what I'd call a consulting question - there are too many factors to be able to give this any sort of justice via an email forum. That being said, here are some thoughts. Start with defining the levels of separation and security between your different classes of users, as well as determining what (if any) resources are expected to be available, and which classes of users need access to them (ie computer labs, etc). Define the administration policies for the different classes of users - are the student accounts managed by different people than staff, etc? Unless you have very serious issues with the trustworthiness (or they're just plain unruly) of the administrators for student accounts, I don't see a lot of reason to create a multiple forest design, especially if there are many resources that have to be shared between the students and faculty. The design will flow from how well you define your user classes. The better you understand the requirements for interaction and administration, the easier it will be to develop a design that will suit your institution. After all that, my first idea would be a 3 domain forest - empty root, faculty domain and student domain. Multiple forests are possible, and in some cases preferable, but they are a significant overhead, IMO. Roger -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Total Brainfart - -didn't even consider 3 domains (empty root - Faculty - Student) good advice. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http
RE: [ActiveDir] Back to Basics - Design Pros and Cons
I agree with Craig, however I would still stick with one domain and use the OU structure to the max. Maybe creating an OU for each campus and then dividing them down by departments or students and staff or whatever you find to work best. That is what I have found to work best because then you can have the departments do their own administration at their level. And one of the most difficult things that I have found on my campus is the politics and this kind of concept helps. But do what you must, chuck Thank you, Charles Carerros IS Network Specialist Center for International Education University of Wisconsin -- Milwaukee Garland Hall RM 117 [EMAIL PROTECTED] P: (414) 229-3604 F: (414) 229-3626 -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 8:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Title: Message Have you seen the Microsoft University Relations website? It's a site dedicated to issues for the University IT Pro. http://msruniv.corp.bcentral.com/ I've seen many Universities with multiple forest,Many peoplethinkthat a domain is a Security boundary, but if you need more than an Administrative boundary, multiple forests is the way to go. Regards, /Jimmy --Jimmy Andersson, Q Advice ABMicrosoft MVP - Active Directory www.qadvice.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wohlgehagen, Max WSent: Wednesday, December 11, 2002 2:20 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB "Spread Spectrum" Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville "Of all the things I've lost, it's my mind I miss the most." Wohlgehagen, Max (E-mail).vcf *** Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training.
Re: [ActiveDir] Back to Basics - Design Pros and Cons
Title: Message Jimmy - Thanks for the idea -I will check and get back to you. Jerry - Original Message - From: Jimmy Andersson To: [EMAIL PROTECTED] Sent: Wednesday, December 11, 2002 10:15 AM Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Have you seen the Microsoft University Relations website? It's a site dedicated to issues for the University IT Pro. http://msruniv.corp.bcentral.com/ I've seen many Universities with multiple forest,Many peoplethinkthat a domain is a Security boundary, but if you need more than an Administrative boundary, multiple forests is the way to go. Regards, /Jimmy --Jimmy Andersson, Q Advice ABMicrosoft MVP - Active Directory www.qadvice.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wohlgehagen, Max WSent: Wednesday, December 11, 2002 2:20 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB "Spread Spectrum" Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville "Of all the things I've lost, it's my mind I miss the most." Wohlgehagen, Max (E-mail).vcf *** Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training.
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any
RE: [ActiveDir] Back to Basics - Design Pros and Cons
True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all
RE: [ActiveDir] Back to Basics - Design Pros and Cons
Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would head down. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable
RE: [ActiveDir] Back to Basics - Design Pros and Cons
That brings up a great point - universities are very different environments from corporate environs. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I agree with Craig, however I would still stick with one domain and use the OU structure to the max. Maybe creating an OU for each campus and then dividing them down by departments or students and staff or whatever you find to work best. That is what I have found to work best because then you can have the departments do their own administration at their level. And one of the most difficult things that I have found on my campus is the politics and this kind of concept helps. But do what you must, chuck Thank you, Charles Carerros IS Network Specialist Center for International Education University of Wisconsin -- Milwaukee Garland Hall RM 117 [EMAIL PROTECTED] P: (414) 229-3604 F: (414) 229-3626 -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 8:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Max, While I think there are a LOT of issues that should be addressed (probably too many for you top get enough quality feedback through an email forum) there are a few basic things I would recommend considering. 1. Who needs to do what or get where (appliance wise) 2. What needs to be accessible to these people (as a whole) 3. Who needs to be able to access what? Again, these are just tip of the Iceberg things but that is where I'd start. I'm guessing by what you said and the mere fact that it is a multi campus university, that you have a healthy reliable backbone in place already. While multiple FORRESTS are doable (some people may even lead you down that path - your decision) I always consider them to have a TON over administrative and maintenance related overhead. (Not sure how large your team is that will support this architecture) If it were me (because I never tell someone THIS IS WHAT YOU SHOULD DO) I would forget about the domain for each campus etc. I would stick with two domains FACULTY and STUDENTS (naming convention to be decided later) and move on from there. Just my 2 cents Max. Good luck with this project - sounds exciting to me. Craig Craig P. Cerino MCSE, MCP+I Systems Administrator TIE SOLUTIONS, Inc -Original Message- From: Wohlgehagen, Max W [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 8:20 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Back to Basics - Design Pros and Cons There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. I am a big fan of the KISS principle but am stuck in deciding between multiple trees or a single tree with many sites, both concepts have advantages. We do not need to implement a Forrest structure as our DNS is set in concrete. We have the following elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of these elements as well. The main concern is to have the most useful GPO structure without too much complexity. Does anyone have any experience in setting up this type of AD. Any ideas on multiple domains versus single domain many sites?? Help, opinions, comments, ideas all welcome. Thanks. Max Wohlgehagen TSI - Rowville Of all the things I've lost, it's my mind I miss the most. Wohlgehagen, Max (E-mail).vcf ** * Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education Training. List info : http://www.activedir.org
RE: [ActiveDir] Back to Basics - Design Pros and Cons
The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department. For the empty root, I would put in the root those services and servers that both students and faculty members need, such as a e-mail server and web server. File servers and application servers I would put in the child domains that are relative to each domains. (ie FACULTYFP01 and FACULTYAPP01 in the Faculty domains and STUDENTFP01 and STUDENTAPP01 in the student domain. Just the path I would
Re: [ActiveDir] Back to Basics - Design Pros and Cons
I would disagree with the point that you need to be Domain Admin in order to administer servers in a domain. This is not true - I would strongly recommend against granting Domain Admin to a server administrator in a domain solely for that purpose. The user only needs to be an Administrator of that server - this is not the same as, nor does it require, Domain Admin priviledge. This can be done with a gpo which adds a particular server admin group to the local admin group on the relevant server. I would however still agree with the point that an empty root should be as empty as possible. As above, to keep rights at a minimum requires a significant admin overhead which could easily be overlooked compromising the security of the root domain. my 2p worth... - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 11, 2002 6:23 PM Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin
RE: [ActiveDir] Back to Basics - Design Pros and Cons
If I understand the theory correctly, a brand new installation would include the first domain controller with an empty root and then one or more servers acting as child domain controllers. Is that essentially correct? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 10:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons The point which I believe you're missing, is that of managability of servers within that domain generally means that the group of people managing servers in that domain requires domain level admin right, which obviates the security benefits of the empty root. The concept behind the empty root is to provide a container for the schema and forest structure - nothing else. By putting anything other than what is required to meet those needs, its no longer an empty root. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons Not really. You can have a exchange server in a empty root that only has accounts on it from child domains. Meaning that all users account are in the child domains, so you still only have the Administrator group in the forest root. Plus if you create one more account as the account you use to do all your admin work and have all services run as in the forest root then you only have two accounts, Administrator and the new account. A empty root only means that there are no users maintained in that domain context. You can have servers in the forest root such as Application servers or File servers and even Exchange Servers without running the risk of having your AD Security compromised. You specifically grant child domain user account access to folders or mailboxes. You are not granting them, nor would you, access to the AD Contexts or to any administrative functions in the root. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons No it doesn't. Its empty for security reasons, not for anything else. By putting any services within the domain, it voids the protections offered by the empty root - specifically preventing changes to the Enterprise Admins and Schema Admins groups. In the last 2 empty root deployment's in which I've been involved, there have been a grand total of 5 accounts with ANY access to the empty root domains. In fact, the model was that the admin account in the empty root is different from the admin account, for the same individual, in the production domain. Putting non-DC servers in that domain means granting some level of rights to accounts in that domain, which threatens the controls over the above mentioned groups. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons True, but logically it makes sense to atleast have servers there that are common. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Back to Basics - Design Pros and Cons Actually - the empty root should be just that - empty. The transitive trust model handles the rest. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:24 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons I also agree with those people here that say to have a 3 domain model in a single forest. By creating an empty root and having two child domains, you can ensure security and separation from faculty and students as well has have a very detailed OU Structure in your students domains based on year or majors and your faculty can have an OU structure of department
