RE: [ActiveDir] Root Place Holder justification
Gil, I hear that all the time, plus Hey Rocky, where's Bullwinkle? Hee hee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, Dear God, thank you for not putting me into Disaster Recovery Mode today! harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technically I could have lived without. I need concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, April 26, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as harm? I'm confused by your question... -gil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, April 26, 2006 12:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Where's the harm? Don't tell me about economics or overhead or other things. Tell me where the harm is. Please. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Jef, We don't have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. :-) AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef _ Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than
RE: [ActiveDir] Root Place Holder justification
Gil, I hear that all the time, plus Hey Rocky, where's Bullwinkle? Hee hee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, Dear God, thank you for not putting me into Disaster Recovery Mode today! harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technically I could have lived without. I need concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, April 26, 2006 6:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as harm? I'm confused by your question... -gil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, April 26, 2006 12:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Where's the harm? Don't tell me about economics or overhead or other things. Tell me where the harm is. Please. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Jef, We don't have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. :-) AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef _ Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than
RE: [ActiveDir] Root Place Holder justification
Title: Message I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people. From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO. my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Gil, I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without. Ineed concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkinga
RE: [ActiveDir] Root Place Holder justification
Neil, In some ways they may be even more harmful. Network outages have their own fixes, hardware failures have replacements, deleted data (should) have backups. Solutions for bad process and policy due to architecture decisions? Not as cut and dry, and could be most costly in the long run as the problems compound. I know we just did an analysis of the cost of directory remediation due to cleaning up bad data stemming from bad processes. It is easily in the 6 digits when you factor in manpower, systems, delaying of applications due to bad data, etc. A root domain may not be the cause of such things, but how the environment will be managed and the pitfalls should be thought of. Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 2006 15:20:45 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people. From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO. my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Gil, I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without. Ineed concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploym
RE: [ActiveDir] Root Place Holder justification
I read your post as You need good policy and procedures and actually adhere to them. I 100% agree, doesn't matter if you have 1 domain or 30 domains (and that could be 29 full or empty or any combination domains). I recently had to sit in on a meeting to listen to some folks discuss a failure and from a very small problem it escalated into a week long massive outage. All due to poor communications, and lack of process to account for the new environment. They had process for the old NT4/E5.5 environment and they tried to follow it and it all went horribly wrong of course. Also there was a massive failure, IMO, in that they didn't review all management and support processes during and after the migration to a new environment. They were and still are managing a single AD forest like they managed a coglomerate of loosely connected trusted NT4 domains. No centralized management hence no realstrong grasp ofwhat is happening at the 30k foot level so things are falling on their heads. But anyway, great post, just not an issue due to empty root domains. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 11:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Neil, In some ways they may be even more harmful. Network outages have their own fixes, hardware failures have replacements, deleted data (should) have backups. Solutions for bad process and policy due to architecture decisions? Not as cut and dry, and could be most costly in the long run as the problems compound. I know we just did an analysis of the cost of directory remediation due to cleaning up bad data stemming from bad processes. It is easily in the 6 digits when you factor in manpower, systems, delaying of applications due to bad data, etc. A root domain may not be the cause of such things, but how the environment will be managed and the pitfalls should be thought of. Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 2006 15:20:45 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people. From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO. my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Gil, I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without. Ineed concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's
RE: [ActiveDir] Root Place Holder justification
i think he meant. joseph ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2006-04-27 01:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Who? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 6:20 PM To: ActiveDir.org Subject: Re: [ActiveDir] Root Place Holder justification Dean/Joseph Anything to add? Mark -Original Message- From: Jef Kazimer [EMAIL PROTECTED] Date: Wed, 26 Apr 2006 16:15:09 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification RH, It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process. Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals.We had to implement an MIIS system to aggregate the active users from 3 domains into a single ADAM instance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory? If we had a single domain, this would not be an issue. I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :( Jef From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 15:03:06 -0400 .ExternalClass .shape {;} .ExternalClass p.MsoNormal, .ExternalClass li.MsoNormal, .ExternalClass div.MsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass a:link, .ExternalClass span.MsoHyperlink {color:blue;text-decoration:underline;} .ExternalClass a:visited, .ExternalClass span.MsoHyperlinkFollowed {color:blue;text-decoration:underline;} .ExternalClass p {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 {size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} Where's the harm? Don't tell me about economics or overhead or other things. Tell me where the harm is. Please. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Jef, We don't have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials
RE: [ActiveDir] Root Place Holder justification
Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Root Place Holder justification
to have an empty forest root domain or not... (things I just thought of) POSSIBLES FOR TO HAVE: * Large, complex and dynamic organizations * Organization with independent departments and decentralized IT departments (because of this one or more IT departments does not accept the other as being the forest root domain) * Wish to have a forest root domain that is department/region/location independent (incl. its name) (better possibilities to transfer ownership and better resistent to organizational changes) * Stronger security policies for admin accounts POSSIBLES FOR NOT TO HAVE: * Organization with a centralized IT department * Static organizations * Additional costs and hardware You could have a look at the Windows Server System Reference Architecture -- http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx Directory Services Guide -- http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true (search for section called Forest Root Design) my 2 cents cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 2006-04-26 15:36 To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Root Place Holder justification
forgot to mention in my previous post.. always go for a single domain forest! unlessblabla...yadayada...(and this should be a STRONG reason) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Wed 2006-04-26 15:36 To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Root Place Holder justification
Number 1 of these really drive me nuts and at this point I usually start shouting. As domains do NOT limit resource access, i.e. users in Domain A can access resources in domain B (In fact that's the usual reason for have trusts between domains) and together way round, how can you justify different Security Requirments. They are in effect both securing the same objects. Number 2 tends to become irrelevant if you have Exchange because that stuffs everything back into the GC that the AD designers took out, and you really needs GCs everywhere. Number 3 = Is a good reason to start rationalizing. Having said that when I worked for Compaq I produced a number of designs with an Empty Root and as others have said, these were always passed by both Microsoft and Anderson Consulting as they were then. Personally I would like to see the business benefit that all those extra DC's deliver. (That is business benefit to the customer not to the server supplier and Microsoft). Dave. P.S. Please not the above are my personal views and not those of Stockport Council.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 14:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 9:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Root Place Holder justification
I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts. For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Wednesday, April 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Number 1 of these really drive me nuts and at this point I usually start shouting. As domains do NOT limit resource access, i.e. users in Domain A can access resources in domain B (In fact that's the usual reason for have trusts between domains) and together way round, how can you justify different Security Requirments. They are in effect both securing the same objects. Number 2 tends to become irrelevant if you have Exchange because that stuffs everything back into the GC that the AD designers took out, and you really needs GCs everywhere. Number 3 = Is a good reason to start rationalizing. Having said that when I worked for Compaq I produced a number of designs with an Empty Root and as others have said, these were always passed by both Microsoft and Anderson Consulting as they were then. Personally I would like to see the business benefit that all those extra DC's deliver. (That is business benefit to the customer not to the server supplier and Microsoft). Dave. P.S. Please not the above are my personal views and not those of Stockport Council.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 14:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 9:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk
RE: [ActiveDir] Root Place Holder justification drifting off topic slightly
As an Ex-Teacher, I think the problems of Pupils messing with other Pupils accounts means they should have the same settings as teachers. If they forget the password it should be worksheets for three weeks! However point take, there are some accounts that should have higher security settings, perhaps this is a real design flaw in AD, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts. For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Wednesday, April 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Number 1 of these really drive me nuts and at this point I usually start shouting. As domains do NOT limit resource access, i.e. users in Domain A can access resources in domain B (In fact that's the usual reason for have trusts between domains) and together way round, how can you justify different Security Requirments. They are in effect both securing the same objects. Number 2 tends to become irrelevant if you have Exchange because that stuffs everything back into the GC that the AD designers took out, and you really needs GCs everywhere. Number 3 = Is a good reason to start rationalizing. Having said that when I worked for Compaq I produced a number of designs with an Empty Root and as others have said, these were always passed by both Microsoft and Anderson Consulting as they were then. Personally I would like to see the business benefit that all those extra DC's deliver. (That is business benefit to the customer not to the server supplier and Microsoft). Dave. P.S. Please not the above are my personal views and not those of Stockport Council.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 14:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 9:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted
RE: [ActiveDir] Root Place Holder justification
For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. Been down that exact road before a few times. Ended up making the kids rough it out and learn how to have a real password, might as well learn sooner or later you know. Your website says you have about as many area residents as I do employees too. :) MCS pitched this client's empty root and two child domain model that was partially an internal political compromise ... there's no real technical value other than I have a lot more hardware to worry about on any given day. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: Wednesday, April 26, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts. For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Wednesday, April 26, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Number 1 of these really drive me nuts and at this point I usually start shouting. As domains do NOT limit resource access, i.e. users in Domain A can access resources in domain B (In fact that's the usual reason for have trusts between domains) and together way round, how can you justify different Security Requirments. They are in effect both securing the same objects. Number 2 tends to become irrelevant if you have Exchange because that stuffs everything back into the GC that the AD designers took out, and you really needs GCs everywhere. Number 3 = Is a good reason to start rationalizing. Having said that when I worked for Compaq I produced a number of designs with an Empty Root and as others have said, these were always passed by both Microsoft and Anderson Consulting as they were then. Personally I would like to see the business benefit that all those extra DC's deliver. (That is business benefit to the customer not to the server supplier and Microsoft). Dave. P.S. Please not the above are my personal views and not those of Stockport Council.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 14:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 9:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched
RE: [ActiveDir] Root Place Holder justification
Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
The problem I always had with the idea of a tighter security for a root domain for admins is that it doesn't always flow down correctly for all tasks in the child domains. IE You have your Admins in the ROOT domain which has a tighter security policy than your child domain. Yet you can't place these users in the Domain Admins group of the child domain since it is a global group and is not accepting users from the root domain. you can place the users in the Administrators group, but this does not get you everything in the child domain since most things are ACL'd by Domain Admins by default and not the domain's Administrator group. So you can use these Admins with a tighter security policy to do actions that are 90% of the job because they are Administrators, but for that extra 10% you would need a child domain account without thehigher security policy in the Domain Admins group. Of course this can all be done using different ACL's and task groups and what not, but is there a a simpler way that I am missing? Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 16:03:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org tohaveanemptyforestrootdomainornot...(thingsIjustthoughtof) POSSIBLESFOR"TOHAVE": * Large,complexanddynamicorganizations * OrganizationwithindependentdepartmentsanddecentralizedITdepartments(becauseofthisoneormoreITdepartmentsdoesnotaccepttheotherasbeingtheforestrootdomain) * Wishtohaveaforestrootdomainthatisdepartment/region/locationindependent(incl.itsname)(betterpossibilitiestotransferownershipandbetterresistenttoorganizationalchanges) * Strongersecuritypoliciesforadminaccounts POSSIBLESFOR"NOTTOHAVE": * OrganizationwithacentralizedITdepartment * Staticorganizations * Additionalcostsandhardware YoucouldhavealookattheWindowsServerSystemReferenceArchitecture--http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx DirectoryServicesGuide--http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true(searchforsectioncalled"ForestRootDesign") my2cents cheers, jorge Metvriendelijkegroeten/Kindregards, Ing.JorgedeAlmeidaPinto SeniorInfrastructureConsultant MVPWindowsServer-DirectoryServices LogicaCMGNederlandB.V.(BURTINCEindhoven) (Tel:+31-(0)40-29.57.777 (Mobile:+31-(0)6-26.26.62.80 *E-mail:seesenderaddress From:[EMAIL PROTECTED]onbehalfofMarkParris Sent:Wed2006-04-2615:36 To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustificationDoesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Thise-mailandanyattachmentisforauthorisedusebytheintendedrecipient(s)only.Itmaycontainproprietarymaterial,confidentialinformationand/orbesubjecttolegalprivilege.Itshouldnotbecopied,disclosedto,retainedorusedby,anyotherparty.Ifyouarenotanintendedrecipientthenpleasepromptlydeletethise-mailandanyattachmentandallcopiesandinformthesender.Thankyou.Enter the Windows Live Mail beta sweepstakes Upgrade today
RE: [ActiveDir] Root Place Holder justification
There isn't much official documentation available on this topic and if you search the - archives you'll see it's been discussed many times. Fact is, that an empty root typically gives a false sense of security. For most scenarios you can even argue that is reduces the overall security of an AD forest. Here's a nice list of arguments AGAINST an empty forest root domain from Paul Rich, Senior Architecture Engineer within Microsoft's internal IT: Empty root domain summary - Adds complexity - Adds up front cost - Adds ongoing cost - Lengthens disaster recovery - Complicates group usage and comprehension - Has user and application owner impact - Kerberos cross-realm ticket issue - Lowers security - Only use is political and at very high cost We could discuss each of the above points and add more detail, but for most this sums it up quite well. The Lowers security reason mainly evelves around the Kerberos cross-realm ticket issue, as the status of a user's account is not checked when a user's Keberos ticket in another domain is updated = i.e. in a hire/fire scenario, if a user is still logged onto a box in his proper domain his Kerberos ticket would not get renewed in his domain, but it would for an existing session to the root domain. So the user could continue to use resources and grab data from them (e.g. retrieve all company contacts from a GC in the root domain - and if he has write access do other damage etc.) I've even come accross other technical reasons in the meantime that speak against an empty forest root - this involves trusts between different forests and the new forest trust type in Win2003. Empty root domains doesn't make forest trusts any easier - especially for the end-user. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Mittwoch, 26. April 2006 16:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Root Place Holder justification
I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Mittwoch, 26. April 2006 17:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered. Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :( We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50 users). The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate. Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood. If I had a magic wandI'd wish for a single domain. :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is thereanactualreasonforit? Thereareonlythreereasonstohaveone,imho(cutandpastedfroma googlesearch) 1.Securityrequirementsaredifferent(password,lockout,andKerberos policiesmustbeappliedatthedomainlevel). 2.Tocontrol/limitreplication(butnotetherecommendationsfornumber of objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, the domainshouldhavenomorethan100,000users). 3.Becauseyouinheritamultipledomainsetup. Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue withapastdecisionbutIguessthatdependsupontheimpactto operationsandthecomplexityofconsolidation. -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20069:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothe justificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseeno reasontoexpandonthat-theyonlyhave6DC'snowina singledomain-yetthepartnertheyhavechosenis recomendingarootplaceholderwith5DC'sandthen8inthe childdomain(theyareNOTevensupplyingthetin)andI wantedsomedecentamo-alittlebitstrongerthanschema andEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandI believeGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
Re: [ActiveDir] Root Place Holder justification
Thanks Guido, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Wed, 26 Apr 2006 17:04:39 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification There isn't much official documentation available on this topic and if you search the - archives you'll see it's been discussed many times. Fact is, that an empty root typically gives a false sense of security. For most scenarios you can even argue that is reduces the overall security of an AD forest. Here's a nice list of arguments AGAINST an empty forest root domain from Paul Rich, Senior Architecture Engineer within Microsoft's internal IT: Empty root domain summary - Adds complexity - Adds up front cost - Adds ongoing cost - Lengthens disaster recovery - Complicates group usage and comprehension - Has user and application owner impact - Kerberos cross-realm ticket issue - Lowers security - Only use is political and at very high cost We could discuss each of the above points and add more detail, but for most this sums it up quite well. The Lowers security reason mainly evelves around the Kerberos cross-realm ticket issue, as the status of a user's account is not checked when a user's Keberos ticket in another domain is updated = i.e. in a hire/fire scenario, if a user is still logged onto a box in his proper domain his Kerberos ticket would not get renewed in his domain, but it would for an existing session to the root domain. So the user could continue to use resources and grab data from them (e.g. retrieve all company contacts from a GC in the root domain - and if he has write access do other damage etc.) I've even come accross other technical reasons in the meantime that speak against an empty forest root - this involves trusts between different forests and the new forest trust type in Win2003. Empty root domains doesn't make forest trusts any easier - especially for the end-user. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Mittwoch, 26. April 2006 16:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] V«r¯yÊý§-÷¾4¨¥iËb½çb®à
RE: [ActiveDir] Root Place Holder justification
Guido, My thoughts exactly. I always start my complaining with "It was designed with what we knew at the time.butif I could it again today, blah, blah". I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design. If only there was the do over button..:) J Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 17:08:31 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Mittwoch, 26. April 2006 17:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered. Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :( We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50 users). The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate. Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood. If I had a magic wandI'd wish for a single domain. :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is thereanactualreasonforit? Thereareonlythreereasonstohaveone,imho(cutandpastedfroma googlesearch) 1.Securityrequirementsaredifferent(password,lockout,andKerberos policiesmustbeappliedatthedomainlevel). 2.Tocontrol/limitreplication(butnotetherecommendationsfornumber of objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, the domainshouldhavenomorethan100,000users). 3.Becauseyouinheritamultipledomainsetup. Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue withapastdecisionbutIguessthatdependsupontheimpactto operationsandthecomplexityofconsolidation.-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20069:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothe justificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseeno reasontoexpandonthat-theyonlyhave6DC'snowina singledomain-yetthepartnertheyhavechosenis recomendingarootplaceholderwith5DC'sandthen8inthe childdomain(theyareNOTevensupplyingthetin)andI wantedsomedecentamo-alittlebitstrongerthanschema andEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandI believeGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
You all knew I had to weigh in on this subject. First some reading on the subject is found here. I think this is what the initial request for information was for. You might also want to reference the article on lucents site she points out for what happens when you remove EA from a child domain, etc. Good information. http://redmondmag.com/columns/article.asp?EditorialsID=436 I think all the responses on the list pretty much cover the business case scenarios really well. I am going to argue against Empty Roots from a more primitive / narrow minded approach. See back in 1999/2000 I was a young Exchange Administrator wanting to do good for my organization. Exchange 5.5 and the eventual migration to Exchange 2000 was our primary driver for adopting Windows 2000 Active Directory. At the time, our Exchange Organization supported multiple sites (Remember sites were both administrative and replication boundaries in Exchange 5.5) and so in order to migrate the existing exchange 5.5 architecture to Exchange 2000, we would have to prune a lot of the NT 4 domains, and establish a core set of domains that would support the decentralize security / administration model of our organization. The design me and my colleague came up with supported several experimental AD design constructs to promote ease of resource location, and what we thought at the time security separation of enterprise roles verses domain and data administration function. What fueled our desire to adopt some of these constructs was Microsofts marchitecture that expounded on how application development could leverage all the standards in AD to centralize management, etc. So we justified going to an Empty Root design to facilitate the separation of security functionality and to centralize the core directory service functions for extended the schema and replication convergence. Politically we wanted to facilitate collaboration with other operating divisions within our department, so having a natural domain to house these functions also was attractive. Fundamentally, though we were an email shop and we needed a directory service to facilitate the next generation of Exchange. The design works and is functional, it allows for us to collaborate and incorporate other entities into our design pretty easily, but operationally it is not streamlined, the technology has a lot of inherit dependencies, and the service isnt optimized for the various roles and functions it serves. My recommendation is to try to identify what functions you want your directory service to perform, and then stand up ADs or LDAP directories to facilitate the functions required. With the inclusion of MIIS in 2003+ in makes a lot more sense these days to design your security around isolation models than to try and make one big giant AD. It might seem cool, but the number of problems you will run into down the road, are greatly compounded when you use the wrong directory for the job. Todd Myrick From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Guido, My thoughts exactly. I always start my complaining with It was designed with what we knew at the time.butif I could it again today, blah, blah. I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design. If only there was the do over button..:) J Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 17:08:31 +0100 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Mittwoch, 26. April 2006 17:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered. Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making
RE: [ActiveDir] Root Place Holder justification
Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftforapproval. Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
"Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
Title: RE: [ActiveDir] Root Place Holder justification I spoke to an MCS engineer on this very topic a while back and he confirmed that Microsoft has gotten away from recommending a dedicated forest root unless there's a compelling reason to have one. Sorry I can't be more specific RM On Wed, 26 Apr 2006 12:49:00 -0600, [EMAIL PROTECTED] said: Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.comFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From:[EMAIL PROTECTED]:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ? Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation. I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's I have searched this list and can find no relevant articles. Many thanks Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
My brother I welcome you into RDA :) Root Domain Anonymous :) Though, if the business requires the separation it still has it's place today in certain environments. I would just be more adamant at evaluating those business requirements as it relates to the directory. Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 12:49:00 -0600From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
RH, It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process. Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals. We had to implement an MIIS system to aggregate the active users from 3domains into a single ADAMinstance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory? If we had a single domain, this would not be an issue. I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :( Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:03:06 -0400 "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
Re: [ActiveDir] Root Place Holder justification
Dean/Joseph Anything to add? Mark -Original Message- From: Jef Kazimer [EMAIL PROTECTED] Date: Wed, 26 Apr 2006 16:15:09 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification RH, It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process. Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals. We had to implement an MIIS system to aggregate the active users from 3 domains into a single ADAM instance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory? If we had a single domain, this would not be an issue. I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :( Jef From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 15:03:06 -0400 .ExternalClass .shape {;} .ExternalClass p.MsoNormal, .ExternalClass li.MsoNormal, .ExternalClass div.MsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass a:link, .ExternalClass span.MsoHyperlink {color:blue;text-decoration:underline;} .ExternalClass a:visited, .ExternalClass span.MsoHyperlinkFollowed {color:blue;text-decoration:underline;} .ExternalClass p {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 {size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} Where's the harm? Don't tell me about economics or overhead or other things. Tell me where the harm is. Please. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -Original Message- From:[EMAIL PROTECTED]:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification
RE: [ActiveDir] Root Place Holder justification
Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
Gil, I think he was looking for other reasons besides the obvious ones (More hardware, license, etc.). It would be interesting to quantify the hidden costs related to administration, data consistency, application integration, security, etc.. But that is a task for a better man than I... Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:26:57 -0700From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: [ActiveDir] Root Place Holder justification
Who? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, April 26, 2006 6:20 PM To: ActiveDir.org Subject: Re: [ActiveDir] Root Place Holder justification Dean/Joseph Anything to add? Mark -Original Message- From: Jef Kazimer [EMAIL PROTECTED] Date: Wed, 26 Apr 2006 16:15:09 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification RH, It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process. Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals.We had to implement an MIIS system to aggregate the active users from 3 domains into a single ADAM instance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory? If we had a single domain, this would not be an issue. I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :( Jef From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 15:03:06 -0400 .ExternalClass .shape {;} .ExternalClass p.MsoNormal, .ExternalClass li.MsoNormal, .ExternalClass div.MsoNormal {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass a:link, .ExternalClass span.MsoHyperlink {color:blue;text-decoration:underline;} .ExternalClass a:visited, .ExternalClass span.MsoHyperlinkFollowed {color:blue;text-decoration:underline;} .ExternalClass p {margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} .ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 {size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} Where's the harm? Don't tell me about economics or overhead or other things. Tell me where the harm is. Please. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Wednesday, April 26, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers. Ran that way for 6 years. Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root. I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval. I think what it boils down to is that this is their standard service and that's that. The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC. AL Al Maurer Service Manager, Naming and Authentication Services
RE: [ActiveDir] Root Place Holder justification
This is quickly becoming one of those religious type argument items. Top post -vs- bottom post. Universal Groups -vs- Domain Local Groups. Open -vs- fixed naming standards. Open Source -vs- proprietary. Linux -vs- Windows. Linux -vs- BSD. IIS -vs- Apache. MySQL -vs- SQL Server. PHP -vs Perl. Coke -vs- Pepsi. House -vs- ER. Jennifer Aniston -vs- Angelina Jolie. Cats -vs- dogs. Kelly Pickler -vs- Katharine McPhee[1]. Empty Root -vs- No Empty Root. Basically there are valid arguments either way and unless people are willing to actually discuss the true benefits in an unemotional clear way you end up with whatever the stronger debater wants for better or worse. There are times that I think empty root is a great idea, there are times when I think it isn't a great idea. I won't recap posts that I have sent multiple times to the list on this topic. Yes, as a general rule MS has backed off the Everyone should do an empty root but they haven't gone as far as some would like to think of Never do an empty root - though you may be pressed to find someone who doesn't say that. In your situation as in any other, write down the perceived benefits and perceived issues and go from there. It should become pretty clear when you have them up on the whiteboard next to each other. Adding five empty root DCs to a forest that currently only has 6 DCs would put me on the offensive pretty fast against whomever was just throwing that out and I would really make them explain the logic. They may have some good logic behind it, that just may be what their cookie cutter says. In general if you have a single domain, the initial thought should be you need to prove why you need more. If you have multiple domains then the argument, IMO, for an empty root is not as hard a sell; again that is IMO, OMV - as I recently read... In a group of 12 bright people you will have at least 13 opinions. I am absolutely not saying that I wouldn't do an empty root if I already have just a single domain, I am saying I would need to sit down and write out the reasons for and against like I mentioned above. These are going to vary for companies but people (including myself) have posted various reasons for this that they have thought through, check the archives. I am neither for nor against empty roots in the general case. I like to see what the goals and issues are and work from there. That being said, I don't dislike them like many have grown to. What kinds of issues can you have with empty roots or more generical multiple domains in a forest? Well one good issue was mentioned... Stupid applications that can't deal with multiple domains. These usually are ports from other OSes and directories but people writing code for MSFT products aren't exempt from this category either. I seem to recall the PlumTree Software folks having some spectacularly bad ideas around LDAP and AD and they only ran on MSFT OS servers the last I saw (been a couple of years). Exchange, if I were to pick an application at complete random, has issues once the number of domains exceeds the number of domains in their forest that they appear to test on in their RD lab (i.e. 1). They are getting better but still aren't there. LCS as we recall from a week or two ago required Global groups which isn't very multi-domain friendly in many cases (ask anyone who tries to put dom2\user1 into dom1\domain admins). You will note that that if you don't do it because of these reasons, it isn't a failing or a problem in AD, it is your crappy apps forcing you. As for Guido and Wook, I don't believe either would outright close the book on whether an empty root should be used or not. They will, however, almost certainly have different things that will push them in that direction but if a reason came up that they thought was pretty good, they would say it was fine as well. So, I would ask the nice partner... Why do you want to do it this way? Could be they are a bit out of touch and may quote the old security boundary argument which has been thoroughly thrashed out on this list in the past but some people still don't understand. I personally like my safe harbor (from domain level GPO or other domain wide issues) thoughts about a root domain, many tried to take me to task here on the list about it but I still stand behind that idea. I don't think I would more than double the number of DCs to do it though unless I was really scared about the people doing ops or more realistically getting heavy duty access. joe P.S. Top, DLG, fixed, don't care, Windows, BSD, don't care, don't care, perl, Coke, House, either, cats, (Kat) Katharine definitely - Kelly has a blowpop for a brain, don't care. [1] For those outside of the US, this is reference to our current run of the American Idol TV show. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: