RE: [ActiveDir] Root Place Holder justification

[Rocky Habeeb]

Gil,
 
I hear that all the time, plus Hey Rocky, where's Bullwinkle? Hee hee hee.

 
Anyway, for people like me who couldn't see Dean and joe and all the rest of
youse guys even if I had the Hubble telescope, because you're so far out
there, and who go to bed each night praying, Dear God, thank you for not
putting me into Disaster Recovery Mode today! harm means the network is
down.  Period. Case closed. End of story.  That's harm in my book.  Forget
the actual reason, it's not important.
 
In that situation, I don't care about economics or the fact that I have a
couple extra servers in a root domain that technically I could have lived
without.
 
I need concrete, specific reasons why it is detrimental to have a root
domain.
 
Where am I gonna get hurt, in such a fashion that I won't have to worry
about praying at night because I'll be spending all night at work rebuilding
a Forest with a phone glued to my ear and some guy from Zimbabwe who claims
to be working for PSS trying to help me?
 
RH
 
__

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, April 26, 2006 6:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Hey Rocky,
 
Watch me pull a rabbit out of my hat!
 
Sorry, just had to get that out of my system. Most people on the list won't
have a clue as to what I'm talking about anyway...
 
In any case, how do increased operational costs and overhead not qualify as
harm? I'm confused by your question...
 
-gil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Wednesday, April 26, 2006 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Where's the harm?
Don't tell me about economics or overhead or other things.
Tell me where the harm is.
Please.
 
RH
_
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 26, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification



Jef,

 

We don't have a root domain because somebody smarter than I made that
decision before I took over.  I was convinced at the time we had made a
mistake, but like you have come to the opposite conclusion.

:-)

 

AL

 

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

 

Al,

 

If you had asked me in the year 2000, I could see issues that would drive a
root domain to anchor multiple domains.  I would caution against it now.  I
believe MS had the same stance, and now thinks it may not make as much sense
as it once did.

 

Maybe they should re-evaluate their service offerings. :)  I admit I was
wrong :)

 

Jef


  _  


 Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 
 Mark,
 
 I'm in the same place you are: single forest, single domain, but 30 DCs in
a global deployment with 45k users and 37k computers.  Ran that way for 6
years.
 
 Now we've sold off a business unit of a couple thousand users and they
outsourced to a big 3rd party service provider who insisted they go with an
empty root.  I recommended against it, but the sourcer (whose initials are
E.D.S.) claimed the configuration was supported by Microsoft and they that
had run it by Microsoft for approval.
 
 I think what it boils down to is that this is their standard service and
that's that.  The guys I'm working with are quite knowledgeable and good at
what they do, but they're the front line people and not the deep-thinking
architects we find at DEC.
 
 AL
 
 Al Maurer 
 Service Manager, Naming and Authentication Services 
 IT | Information Technology 
 Agilent Technologies 
 (719) 590-2639; Telnet 590-2639 
 http://activedirectory.it.agilent.com 
 
 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, April 26, 2006 7:37 AM
 To: ActiveDir.org
 Subject: [ActiveDir] Root Place Holder justification
 
 Does anyone have any official documentation as to the justification for a
root place holder, pro's and con's ?
 
 Where I am - I have started at one domain and can see no reason to expand
on that - they only have 6 DC's now in a single domain - yet the partner
they have chosen is recomending a root place holder with 5 DC's and then 8
in the child domain (they are NOT even supplying the tin) and I wanted some
decent amo - a little bit stronger than

RE: [ActiveDir] Root Place Holder justification

[Rocky Habeeb]

Gil,
 
I hear that all the time, plus Hey Rocky, where's Bullwinkle? Hee hee hee.

 
Anyway, for people like me who couldn't see Dean and joe and all the rest of
youse guys even if I had the Hubble telescope, because you're so far out
there, and who go to bed each night praying, Dear God, thank you for not
putting me into Disaster Recovery Mode today! harm means the network is
down.  Period. Case closed. End of story.  That's harm in my book.  Forget
the actual reason, it's not important.
 
In that situation, I don't care about economics or the fact that I have a
couple extra servers in a root domain that technically I could have lived
without.
 
I need concrete, specific reasons why it is detrimental to have a root
domain.
 
Where am I gonna get hurt, in such a fashion that I won't have to worry
about praying at night because I'll be spending all night at work rebuilding
a Forest with a phone glued to my ear and some guy from Zimbabwe who claims
to be working for PSS trying to help me?
 
RH
 
__

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, April 26, 2006 6:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Hey Rocky,
 
Watch me pull a rabbit out of my hat!
 
Sorry, just had to get that out of my system. Most people on the list won't
have a clue as to what I'm talking about anyway...
 
In any case, how do increased operational costs and overhead not qualify as
harm? I'm confused by your question...
 
-gil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Wednesday, April 26, 2006 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Where's the harm?
Don't tell me about economics or overhead or other things.
Tell me where the harm is.
Please.
 
RH
_
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, April 26, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification



Jef,

 

We don't have a root domain because somebody smarter than I made that
decision before I took over.  I was convinced at the time we had made a
mistake, but like you have come to the opposite conclusion.

:-)

 

AL

 

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

 

Al,

 

If you had asked me in the year 2000, I could see issues that would drive a
root domain to anchor multiple domains.  I would caution against it now.  I
believe MS had the same stance, and now thinks it may not make as much sense
as it once did.

 

Maybe they should re-evaluate their service offerings. :)  I admit I was
wrong :)

 

Jef


  _  


 Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 
 Mark,
 
 I'm in the same place you are: single forest, single domain, but 30 DCs in
a global deployment with 45k users and 37k computers.  Ran that way for 6
years.
 
 Now we've sold off a business unit of a couple thousand users and they
outsourced to a big 3rd party service provider who insisted they go with an
empty root.  I recommended against it, but the sourcer (whose initials are
E.D.S.) claimed the configuration was supported by Microsoft and they that
had run it by Microsoft for approval.
 
 I think what it boils down to is that this is their standard service and
that's that.  The guys I'm working with are quite knowledgeable and good at
what they do, but they're the front line people and not the deep-thinking
architects we find at DEC.
 
 AL
 
 Al Maurer 
 Service Manager, Naming and Authentication Services 
 IT | Information Technology 
 Agilent Technologies 
 (719) 590-2639; Telnet 590-2639 
 http://activedirectory.it.agilent.com 
 
 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, April 26, 2006 7:37 AM
 To: ActiveDir.org
 Subject: [ActiveDir] Root Place Holder justification
 
 Does anyone have any official documentation as to the justification for a
root place holder, pro's and con's ?
 
 Where I am - I have started at one domain and can see no reason to expand
on that - they only have 6 DC's now in a single domain - yet the partner
they have chosen is recomending a root place holder with 5 DC's and then 8
in the child domain (they are NOT even supplying the tin) and I wanted some
decent amo - a little bit stronger than

RE: [ActiveDir] Root Place Holder justification

[neil.ruston]

Title: Message



I doubt a root domain would represent 'harm' in your terms, 
but then again, harm may mean different things to different 
people.

From anarchitectural stance, harm means a whole lot 
more.What about added admin overhead; additional hardware costs, support 
and maintenance; additional complexities which are the result of deploying extra 
domains; etc etc. These are 'harmful' to the firm in the same way as a network 
outage is, IMHO.



my 2 penneth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: 28 April 2006 14:51To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

Gil,

I hear 
that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. 


Anyway, for people like me who couldn't see Dean and joe and all the rest 
of youse guys even if I had the Hubble telescope, because you're so far out 
there, and who go to bed each night praying, "Dear God, thank you for not 
putting me into Disaster Recovery Mode today!" harm means the network is 
down. Period. Case closed. End of story. That's harm in my 
book. Forget the actual reason, it's not important.

In 
that situation, I don't care about economics or the fact that I have a couple 
extra servers in a root domain that technicallyI could have lived 
without.

Ineed concrete, specific reasons why it is detrimental to have a 
root domain.

Where 
am I gonna get hurt, in such a fashion that I won't have to worry about praying 
at night because I'll be spending all night at work rebuilding a Forest with a 
phone glued to my ear and some guy from Zimbabwe who claims to be working for 
PSS trying to help me?

RH

__

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 
  6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Root Place Holder justification
  Hey Rocky,
  
  Watch me pull a rabbit out of my hat!
  
  Sorry, just had to get that out of my system. Most people 
  on the list won't have a clue as to what I'm talking about 
  anyway...
  
  In any case, how do increased 
  operational costs and overhead not qualify as "harm"? I'm confused by your 
  question...
  
  -gil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
  HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
  Holder justification
  
  "Where's the 
  harm?"
  Don't tell me about economics 
  or overhead or other things.
  Tell me where the "harm" 
  is.
  Please.
  
  RH
  _
  
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Root Place Holder justification

Jef,

We dont have a 
root domain because somebody smarter than I made that decision before I took 
over. I was convinced at the time we had made a mistake, but like you 
have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming 
and Authentication Services IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 
    AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

Al,

If you had asked me in the year 
2000, I could see issues that would drive a root domain to anchor multiple 
domains. I would caution against it now. I believe MS had the 
same stance, and now thinks it may not make as much sense as it once 
did.

Maybe they should re-evaluate 
their service offerings. :) I admit I was wrong 
    :)

    Jef


    
     Subject: RE: [ActiveDir] 
Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 
-0600 From: [EMAIL PROTECTED] To: 
ActiveDir@mail.activedir.org  Mark,  
I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. 
 
Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." 
 
Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkinga

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

Neil,

In some ways they may be even more harmful. Network outages have their own fixes, hardware failures have replacements, deleted data (should) have backups.

Solutions for bad process and policy due to architecture decisions? Not as cut and dry, and could be most costly in the long run as the problems compound. I know we just did an analysis of the cost of directory remediation due to cleaning up bad data stemming from bad processes. It is easily in the 6 digits when you factor in manpower, systems, delaying of applications due to bad data, etc.

A root domain may not be the cause of such things, but how the environment will be managed and the pitfalls should be thought of.

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 2006 15:20:45 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org





I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people.

From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO.



my 2 penneth,
neil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Gil,

I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. 

Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important.

In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without.

Ineed concrete, specific reasons why it is detrimental to have a root domain.

Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me?

RH

__


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification
Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway...

In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question...

-gil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploym

RE: [ActiveDir] Root Place Holder justification

[joe]

I read your post 
as

You need good policy and 
procedures and actually adhere to them. 

I 100% agree, doesn't 
matter if you have 1 domain or 30 domains (and that could be 29 full or empty or 
any combination domains). 

I recently had to sit in 
on a meeting to listen to some folks discuss a failure and from a very small 
problem it escalated into a week long massive outage. All due to poor 
communications, and lack of process to account for the new environment. They had 
process for the old NT4/E5.5 environment and they tried to follow it and it all 
went horribly wrong of course. Also there was a massive failure, IMO, in that 
they didn't review all management and support processes during and after the 
migration to a new environment. They were and still are managing a single AD 
forest like they managed a coglomerate of loosely connected trusted NT4 domains. 
No centralized management hence no realstrong grasp ofwhat is 
happening at the 30k foot level so things are falling on their heads. 


But anyway, great post, 
just not an issue due to empty root domains. :)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef 
KazimerSent: Friday, April 28, 2006 11:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

Neil,

In some ways they may be even more harmful. Network outages have 
their own fixes, hardware failures have replacements, deleted data 
(should) have backups.

Solutions for bad process and policy due to architecture decisions? Not 
as cut and dry, and could be most costly in the long run as the problems 
compound. I know we just did an analysis of the cost of directory 
remediation due to cleaning up bad data stemming from bad processes. 
It is easily in the 6 digits when you factor in manpower, systems, 
delaying of applications due to bad data, etc.

A root domain may not be the cause of such things, but how the 
environment will be managed and the pitfalls should be thought of.

Jef

  
  Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 
  2006 15:20:45 +0100From: [EMAIL PROTECTED]To: 
  ActiveDir@mail.activedir.org
  
  

  

  I doubt a root domain would represent 'harm' in your terms, but 
  then again, harm may mean different things to different 
  people.
  
  From anarchitectural stance, harm means a whole lot 
  more.What about added admin overhead; additional hardware costs, support 
  and maintenance; additional complexities which are the result of deploying 
  extra domains; etc etc. These are 'harmful' to the firm in the same way as a 
  network outage is, IMHO.
  
  
  
  my 2 penneth,
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
  HabeebSent: 28 April 2006 14:51To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
  Holder justification
  
  Gil,
  
  I hear that 
  all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. 
  
  
  Anyway, for 
  people like me who couldn't see Dean and joe and all the rest of youse guys 
  even if I had the Hubble telescope, because you're so far out there, and who 
  go to bed each night praying, "Dear God, thank you for not putting me into 
  Disaster Recovery Mode today!" harm means the network is down. Period. 
  Case closed. End of story. That's harm in my book. Forget the 
  actual reason, it's not important.
  
  In that 
  situation, I don't care about economics or the fact that I have a couple extra 
  servers in a root domain that technicallyI could have lived 
  without.
  
  Ineed 
  concrete, specific reasons why it is detrimental to have a root 
  domain.
  
  Where am I 
  gonna get hurt, in such a fashion that I won't have to worry about praying at 
  night because I'll be spending all night at work rebuilding a Forest with a 
  phone glued to my ear and some guy from Zimbabwe who claims to be working for 
  PSS trying to help me?
  
  RH
  
  __
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification
Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people on 
the list won't have a clue as to what I'm talking about 
anyway...

In any case, how do increased 
operational costs and overhead not qualify as "harm"? I'm confused by your 
question...

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

"Where's

RE: [ActiveDir] Root Place Holder justification

[Almeida Pinto, Jorge de]

i think he meant. joseph  ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 2006-04-27 01:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification



Who?


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 6:20 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Root Place Holder justification


Dean/Joseph

Anything to add?

Mark

-Original Message-
From: Jef Kazimer [EMAIL PROTECTED]
Date: Wed, 26 Apr 2006 16:15:09
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

RH,



It comes in the management issues.   I currently deal with people creating a 
secondary account in the peer domain because they do not want to bother (or 
understand that they can) to use the existing account.   I think alot of this 
stems from lack of centralized policy and process that was not capable due to 
process.


Also a common problem is multiple partitions.   I deal with many 3rd party 
applications that can only bind to a SINGLE directory partition and cannot 
chase referrals.We had to implement an MIIS system to aggregate the active 
users from 3 domains into a single ADAM instance so that a very popular 3 
letter application could utilize them for authentication.  This brings into 
it's own problems of duplicate account names since without a secondary process 
AD does not enforce uniqueness on samaccountname in a forest.  So which account 
wins when you have a duplicate and flow it into an aggregation directory?



If we had a single domain, this would not be an issue.



I suppose I am going to give you more gripes than hard facts as to why I think 
it causes problems right now though. :(



Jef















 From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification
Date: Wed, 26 Apr 2006 15:03:06 -0400

  .ExternalClass .shape {;}  .ExternalClass p.MsoNormal, .ExternalClass 
li.MsoNormal, .ExternalClass div.MsoNormal 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass a:link, .ExternalClass span.MsoHyperlink 
{color:blue;text-decoration:underline;} .ExternalClass a:visited, 
.ExternalClass span.MsoHyperlinkFollowed 
{color:blue;text-decoration:underline;} .ExternalClass p 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 
{size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} Where's the 
harm?
Don't tell me about economics or overhead or other things.
Tell me where the harm is.
Please.
 
RH
_
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 26, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification



Jef,



We don't have a root domain because somebody smarter than I made that decision 
before I took over.  I was convinced at the time we had made a mistake, but 
like you have come to the opposite conclusion.

J



AL




Al Maurer
Service Manager, Naming and Authentication Services IT | Information Technology 
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification



Al,



If you had asked me in the year 2000, I could see issues that would drive a 
root domain to anchor multiple domains.  I would caution against it now.  I 
believe MS had the same stance, and now thinks it may not make as much sense as 
it once did.



Maybe they should re-evaluate their service offerings. :)  I admit I was wrong 
:)



Jef




 Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org

 Mark,

 I'm in the same place you are: single forest, single domain, but 30 DCs in a 
 global deployment with 45k users and 37k computers.  Ran that way for 6 years.

 Now we've sold off a business unit of a couple thousand users and they 
 outsourced to a big 3rd party service provider who insisted they go with an 
 empty root.  I recommended against it, but the sourcer (whose initials

RE: [ActiveDir] Root Place Holder justification

[al_maurer]

Mark,

I'm in the same place you are: single forest, single domain, but 30 DCs in a 
global deployment with 45k users and 37k computers.  Ran that way for 6 years.

Now we've sold off a business unit of a couple thousand users and they 
outsourced to a big 3rd party service provider who insisted they go with an 
empty root.  I recommended against it, but the sourcer (whose initials are 
E.D.S.) claimed the configuration was supported by Microsoft and they that had 
run it by Microsoft for approval.

I think what it boils down to is that this is their standard service and that's 
that.  The guys I'm working with are quite knowledgeable and good at what they 
do, but they're the front line people and not the deep-thinking architects we 
find at DEC.

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 7:37 AM
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification

Does anyone have any official documentation as to the justification for a root 
place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to expand on 
that - they only have 6 DC's now in a single domain - yet the partner they have 
chosen is recomending a root place holder with 5 DC's and then 8 in the child 
domain (they are NOT even supplying the tin) and I wanted some decent amo - a 
little bit stronger than schema and Ent admin separation.

I know at DEC the concensus was the desire to eliminate and I believe Guido and 
Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Root Place Holder justification

[Almeida Pinto, Jorge de]

to have an empty forest root domain or not... (things I just thought of)
 
 
POSSIBLES FOR TO HAVE:

*   
Large, complex and dynamic organizations
*   
Organization with independent departments and decentralized IT 
departments (because of this one or more IT departments does not accept the 
other as being the forest root domain)
*   
Wish to have a forest root domain that is department/region/location 
independent (incl. its name) (better possibilities to transfer ownership and 
better resistent to organizational changes)
*   
Stronger security policies for admin accounts

POSSIBLES FOR NOT TO HAVE:

*   
Organization with a centralized IT department
*   
Static organizations
*   
Additional costs and hardware

You could have a look at the Windows Server System Reference Architecture -- 
http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx
Directory Services Guide -- 
http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true
 (search for section called Forest Root Design)

my 2 cents
 
cheers,
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 2006-04-26 15:36
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification



Does anyone have any official documentation as to the justification for a root 
place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to expand on 
that - they only have 6 DC's now in a single domain - yet the partner they have 
chosen is recomending a root place holder with 5 DC's and then 8 in the child 
domain (they are NOT even supplying the tin) and I wanted some decent amo - a 
little bit stronger than schema and Ent admin separation.

I know at DEC the concensus was the desire to eliminate and I believe Guido and 
Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Root Place Holder justification

[Almeida Pinto, Jorge de]

forgot to mention in my previous post..
 
always go for a single domain forest! unlessblabla...yadayada...(and this 
should be a STRONG reason)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Wed 2006-04-26 15:36
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification



Does anyone have any official documentation as to the justification for a root 
place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to expand on 
that - they only have 6 DC's now in a single domain - yet the partner they have 
chosen is recomending a root place holder with 5 DC's and then 8 in the child 
domain (they are NOT even supplying the tin) and I wanted some decent amo - a 
little bit stronger than schema and Ent admin separation.

I know at DEC the concensus was the desire to eliminate and I believe Guido and 
Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Root Place Holder justification

[Dave Wade]

Number 1 of these really drive me nuts and at this point I usually
start shouting. As domains do NOT limit resource access, i.e. users in
Domain A can access resources in domain B (In fact that's the usual
reason for have trusts between domains) and together way round, how can
you justify different Security Requirments. They are in effect both
securing the same objects.

Number 2 tends to become irrelevant if you have Exchange because that
stuffs everything back into the GC that the AD designers took out, and
you really needs GCs everywhere.

Number 3 = Is a good reason to start rationalizing.

Having said that when I worked for Compaq I produced a number of designs
with an Empty Root and as others have said, these were always passed by
both Microsoft and Anderson Consulting as they were then. Personally I
would like to see the business benefit that all those extra DC's
deliver. (That is business benefit to the customer not to the server
supplier and Microsoft).

Dave.

P.S. Please not the above are my personal views and not those of
Stockport Council..


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: 26 April 2006 14:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


Your subject is your answer. They need to justify a root domain. Is
there an actual reason for it?

There are only three reasons to have one, imho(cut and pasted from a
google search)

1. Security requirements are different (password, lockout, and Kerberos
policies must be applied at the domain level).
2. To control/limit replication (but note the recommendations for number
of objects in a domain with slow links - if the slowest link is 56 kbps,
the domain should have no more than 100,000 users).
3. Because you inherit a multiple domain setup. 

I question number three myself. I would rather clean it up than continue
with a past decision but I guess that depends upon the impact to
operations and the complexity of consolidation.

 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Wednesday, April 26, 2006 9:37 AM
 To: ActiveDir.org
 Subject: [ActiveDir] Root Place Holder justification
 
 Does anyone have any official documentation as to the justification 
 for a root place holder, pro's and con's ?
 
 Where I am - I have started at one domain and can see no reason to 
 expand on that - they only have 6 DC's now in a single domain - yet 
 the partner they have chosen is recomending a root place holder with 5

 DC's and then 8 in the child domain (they are NOT even supplying the 
 tin) and I wanted some decent amo - a little bit stronger than schema 
 and Ent admin separation.
 
 I know at DEC the concensus was the desire to eliminate and I believe 
 Guido and Wook have stated this for the past two DEC's
 
 I have searched this list and can find no relevant articles.
 
 Many thanks
 
 Regards
 
 Mark
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Root Place Holder justification

[Kennedy, Jim]

I view number 1 security issues more at the GPO level than the resource
level. Password and lockout policies on accounts.

For example in my environment (public school) I could make a case that
Teachers need a strong password policy and a quick lockout while the
students do not (and should not because they typo passwords so often).
We don't do that and only have a single domain but it is a valid
example.

I could only get the above with teachers in one domain and students in
another. But that is a case for two domains, not the empty root domain
that it seems the OP is being pushed towards.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
 Sent: Wednesday, April 26, 2006 10:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 
 Number 1 of these really drive me nuts and at this point I 
 usually start shouting. As domains do NOT limit resource 
 access, i.e. users in Domain A can access resources in 
 domain B (In fact that's the usual reason for have trusts 
 between domains) and together way round, how can you justify 
 different Security Requirments. They are in effect both 
 securing the same objects.
 
 Number 2 tends to become irrelevant if you have Exchange 
 because that stuffs everything back into the GC that the AD 
 designers took out, and you really needs GCs everywhere.
 
 Number 3 = Is a good reason to start rationalizing.
 
 Having said that when I worked for Compaq I produced a number 
 of designs with an Empty Root and as others have said, these 
 were always passed by both Microsoft and Anderson Consulting 
 as they were then. Personally I would like to see the 
 business benefit that all those extra DC's deliver. (That is 
 business benefit to the customer not to the server supplier 
 and Microsoft).
 
 Dave.
 
 P.S. Please not the above are my personal views and not those 
 of Stockport Council..
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
 Sent: 26 April 2006 14:56
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 Your subject is your answer. They need to justify a root 
 domain. Is there an actual reason for it?
 
 There are only three reasons to have one, imho(cut and 
 pasted from a google search)
 
 1. Security requirements are different (password, lockout, 
 and Kerberos policies must be applied at the domain level).
 2. To control/limit replication (but note the recommendations 
 for number of objects in a domain with slow links - if the 
 slowest link is 56 kbps, the domain should have no more than 
 100,000 users).
 3. Because you inherit a multiple domain setup. 
 
 I question number three myself. I would rather clean it up 
 than continue with a past decision but I guess that depends 
 upon the impact to operations and the complexity of consolidation.
 
  
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
  Sent: Wednesday, April 26, 2006 9:37 AM
  To: ActiveDir.org
  Subject: [ActiveDir] Root Place Holder justification
  
  Does anyone have any official documentation as to the justification 
  for a root place holder, pro's and con's ?
  
  Where I am - I have started at one domain and can see no reason to 
  expand on that - they only have 6 DC's now in a single domain - yet 
  the partner they have chosen is recomending a root place 
 holder with 5
 
  DC's and then 8 in the child domain (they are NOT even supplying the
  tin) and I wanted some decent amo - a little bit stronger 
 than schema 
  and Ent admin separation.
  
  I know at DEC the concensus was the desire to eliminate and 
 I believe 
  Guido and Wook have stated this for the past two DEC's
  
  I have searched this list and can find no relevant articles.
  
  Many thanks
  
  Regards
  
  Mark
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 
 **
 This email and any files transmitted with it are confidential 
 and intended solely for the use of the individual or entity 
 to whom they are addressed. As a public body, the Council may 
 be required to disclose this email,  or any response to it,  
 under the Freedom of Information Act 2000, unless the 
 information in it is covered by one of the exemptions in the Act. 
 
 If you receive this email in error please notify Stockport 
 e-Services via [EMAIL PROTECTED] and then 
 permanently remove it from your system. 
 
 Thank you.
 
 http://www.stockport.gov.uk

RE: [ActiveDir] Root Place Holder justification drifting off topic slightly

[Dave Wade]

As an Ex-Teacher, I think the problems of Pupils messing with other
Pupils accounts means they should have the same settings as teachers. If
they forget the password it should be worksheets for three weeks!

However point take, there are some accounts that should have higher
security settings, perhaps this is a real design flaw in AD,

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: 26 April 2006 15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification


I view number 1 security issues more at the GPO level than the resource
level. Password and lockout policies on accounts.

For example in my environment (public school) I could make a case that
Teachers need a strong password policy and a quick lockout while the
students do not (and should not because they typo passwords so often).
We don't do that and only have a single domain but it is a valid
example.

I could only get the above with teachers in one domain and students in
another. But that is a case for two domains, not the empty root domain
that it seems the OP is being pushed towards.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
 Sent: Wednesday, April 26, 2006 10:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 
 Number 1 of these really drive me nuts and at this point I usually 
 start shouting. As domains do NOT limit resource access, i.e. users in

 Domain A can access resources in domain B (In fact that's the 
 usual reason for have trusts between domains) and together way round, 
 how can you justify different Security Requirments. They are in effect

 both securing the same objects.
 
 Number 2 tends to become irrelevant if you have Exchange because 
 that stuffs everything back into the GC that the AD designers took 
 out, and you really needs GCs everywhere.
 
 Number 3 = Is a good reason to start rationalizing.
 
 Having said that when I worked for Compaq I produced a number of 
 designs with an Empty Root and as others have said, these were always 
 passed by both Microsoft and Anderson Consulting as they were then. 
 Personally I would like to see the business benefit that all those 
 extra DC's deliver. (That is business benefit to the customer not to 
 the server supplier and Microsoft).
 
 Dave.
 
 P.S. Please not the above are my personal views and not those of 
 Stockport Council..
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
 Sent: 26 April 2006 14:56
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 Your subject is your answer. They need to justify a root domain. Is 
 there an actual reason for it?
 
 There are only three reasons to have one, imho(cut and pasted from

 a google search)
 
 1. Security requirements are different (password, lockout, and 
 Kerberos policies must be applied at the domain level).
 2. To control/limit replication (but note the recommendations for 
 number of objects in a domain with slow links - if the slowest link is

 56 kbps, the domain should have no more than 100,000 users).
 3. Because you inherit a multiple domain setup. 
 
 I question number three myself. I would rather clean it up than 
 continue with a past decision but I guess that depends upon the impact

 to operations and the complexity of consolidation.
 
  
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
  Sent: Wednesday, April 26, 2006 9:37 AM
  To: ActiveDir.org
  Subject: [ActiveDir] Root Place Holder justification
  
  Does anyone have any official documentation as to the justification 
  for a root place holder, pro's and con's ?
  
  Where I am - I have started at one domain and can see no reason to 
  expand on that - they only have 6 DC's now in a single domain - yet 
  the partner they have chosen is recomending a root place
 holder with 5
 
  DC's and then 8 in the child domain (they are NOT even supplying the
  tin) and I wanted some decent amo - a little bit stronger
 than schema
  and Ent admin separation.
  
  I know at DEC the concensus was the desire to eliminate and
 I believe
  Guido and Wook have stated this for the past two DEC's
  
  I have searched this list and can find no relevant articles.
  
  Many thanks
  
  Regards
  
  Mark
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 
 **
 This email and any files transmitted

RE: [ActiveDir] Root Place Holder justification

[Brian Desmond]

 For example in my environment (public school) I could make a case that
 Teachers need a strong password policy and a quick lockout while the
 students do not (and should not because they typo passwords so often).
 We don't do that and only have a single domain but it is a valid
 example.

Been down that exact road before a few times. Ended up making the kids
rough it out and learn how to have a real password, might as well learn
sooner or later you know. Your website says you have about as many area
residents as I do employees too. :)

MCS pitched this client's empty root and two child domain model that was
partially an internal political compromise ... there's no real technical
value other than I have a lot more hardware to worry about on any given
day. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Kennedy, Jim
 Sent: Wednesday, April 26, 2006 10:44 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 I view number 1 security issues more at the GPO level than the
resource
 level. Password and lockout policies on accounts.
 
 For example in my environment (public school) I could make a case that
 Teachers need a strong password policy and a quick lockout while the
 students do not (and should not because they typo passwords so often).
 We don't do that and only have a single domain but it is a valid
 example.
 
 I could only get the above with teachers in one domain and students in
 another. But that is a case for two domains, not the empty root domain
 that it seems the OP is being pushed towards.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
  Sent: Wednesday, April 26, 2006 10:29 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 
  Number 1 of these really drive me nuts and at this point I usually
  start shouting. As domains do NOT limit resource access, i.e. users
 in
  Domain A can access resources in domain B (In fact that's the
  usual reason for have trusts between domains) and together way
round,
  how can you justify different Security Requirments. They are in
 effect
  both securing the same objects.
 
  Number 2 tends to become irrelevant if you have Exchange because
  that stuffs everything back into the GC that the AD designers took
  out, and you really needs GCs everywhere.
 
  Number 3 = Is a good reason to start rationalizing.
 
  Having said that when I worked for Compaq I produced a number of
  designs with an Empty Root and as others have said, these were
always
  passed by both Microsoft and Anderson Consulting as they were then.
  Personally I would like to see the business benefit that all those
  extra DC's deliver. (That is business benefit to the customer not to
  the server supplier and Microsoft).
 
  Dave.
 
  P.S. Please not the above are my personal views and not those of
  Stockport Council..
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy,
Jim
  Sent: 26 April 2006 14:56
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Root Place Holder justification
 
 
  Your subject is your answer. They need to justify a root domain. Is
  there an actual reason for it?
 
  There are only three reasons to have one, imho(cut and pasted
 from
  a google search)
 
  1. Security requirements are different (password, lockout, and
  Kerberos policies must be applied at the domain level).
  2. To control/limit replication (but note the recommendations for
  number of objects in a domain with slow links - if the slowest link
 is
  56 kbps, the domain should have no more than 100,000 users).
  3. Because you inherit a multiple domain setup.
 
  I question number three myself. I would rather clean it up than
  continue with a past decision but I guess that depends upon the
 impact
  to operations and the complexity of consolidation.
 
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mark
 Parris
   Sent: Wednesday, April 26, 2006 9:37 AM
   To: ActiveDir.org
   Subject: [ActiveDir] Root Place Holder justification
  
   Does anyone have any official documentation as to the
justification
   for a root place holder, pro's and con's ?
  
   Where I am - I have started at one domain and can see no reason to
   expand on that - they only have 6 DC's now in a single domain -
yet
   the partner they have chosen is recomending a root place
  holder with 5
 
   DC's and then 8 in the child domain (they are NOT even supplying
 the
   tin) and I wanted some decent amo - a little bit stronger
  than schema
   and Ent admin separation.
  
   I know at DEC the concensus was the desire to eliminate and
  I believe
   Guido and Wook have stated this for the past two DEC's
  
   I have searched

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

The problem I always had with the idea of a tighter security for a root domain for admins is that it doesn't always flow down correctly for all tasks in the child domains.

IE

You have your Admins in the ROOT domain which has a tighter security policy than your child domain. Yet you can't place these users in the Domain Admins group of the child domain since it is a global group and is not accepting users from the root domain.

you can place the users in the Administrators group, but this does not get you everything in the child domain since most things are ACL'd by Domain Admins by default and not the domain's Administrator group. 


So you can use these Admins with a tighter security policy to do actions that are 90% of the job because they are Administrators, but for that extra 10% you would need a child domain account without thehigher security policy in the Domain Admins group.

Of course this can all be done using different ACL's and task groups and what not, but is there a a simpler way that I am missing?

Jef

 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 16:03:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  tohaveanemptyforestrootdomainornot...(thingsIjustthoughtof)   POSSIBLESFOR"TOHAVE":  *  Large,complexanddynamicorganizations *  OrganizationwithindependentdepartmentsanddecentralizedITdepartments(becauseofthisoneormoreITdepartmentsdoesnotaccepttheotherasbeingtheforestrootdomain) *  Wishtohaveaforestrootdomainthatisdepartment/region/locationindependent(incl.itsname)(betterpossibilitiestotransferownershipandbetterresistenttoorganizationalchanges) *  Strongersecuritypoliciesforadminaccounts  POSSIBLESFOR"NOTTOHAVE":  *  OrganizationwithacentralizedITdepartment *  Staticorganizations *  Additionalcostsandhardware  YoucouldhavealookattheWindowsServerSystemReferenceArchitecture--http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx DirectoryServicesGuide--http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true(searchforsectioncalled"ForestRootDesign")  my2cents  cheers, jorge  Metvriendelijkegroeten/Kindregards, Ing.JorgedeAlmeidaPinto SeniorInfrastructureConsultant MVPWindowsServer-DirectoryServices  LogicaCMGNederlandB.V.(BURTINCEindhoven) (Tel:+31-(0)40-29.57.777 (Mobile:+31-(0)6-26.26.62.80 *E-mail:seesenderaddress    From:[EMAIL PROTECTED]onbehalfofMarkParris Sent:Wed2006-04-2615:36 To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustificationDoesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Thise-mailandanyattachmentisforauthorisedusebytheintendedrecipient(s)only.Itmaycontainproprietarymaterial,confidentialinformationand/orbesubjecttolegalprivilege.Itshouldnotbecopied,disclosedto,retainedorusedby,anyotherparty.Ifyouarenotanintendedrecipientthenpleasepromptlydeletethise-mailandanyattachmentandallcopiesandinformthesender.Thankyou.Enter the Windows Live Mail beta sweepstakes Upgrade today

RE: [ActiveDir] Root Place Holder justification

[Grillenmeier, Guido]

There isn't much official documentation available on this topic and if
you search the - archives you'll see it's been discussed many times.
Fact is, that an empty root typically gives a false sense of security.
For most scenarios you can even argue that is reduces the overall
security of an AD forest. 

Here's a nice list of arguments AGAINST an empty forest root domain from
Paul Rich, Senior Architecture Engineer within Microsoft's internal IT:

Empty root domain summary
- Adds complexity
- Adds up front cost
- Adds ongoing cost
- Lengthens disaster recovery
- Complicates group usage and comprehension
- Has user and application owner impact
- Kerberos cross-realm ticket issue
- Lowers security
- Only use is political and at very high cost 

We could discuss each of the above points and add more detail, but for
most this sums it up quite well. The Lowers security reason mainly
evelves around the Kerberos cross-realm ticket issue, as the status of a
user's account is not checked when a user's Keberos ticket in another
domain is updated = i.e. in a hire/fire scenario, if a user is still
logged onto a box in his proper domain his Kerberos ticket would not get
renewed in his domain, but it would for an existing session to the root
domain. So the user could continue to use resources and grab data from
them (e.g. retrieve all company contacts from a GC in the root domain -
and if he has write access do other damage etc.)

I've even come accross other technical reasons in the meantime that
speak against an empty forest root - this involves trusts between
different forests and the new forest trust type in Win2003. Empty root
domains doesn't make forest trusts any easier - especially for the
end-user.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Mittwoch, 26. April 2006 16:03
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

Mark,

I'm in the same place you are: single forest, single domain, but 30 DCs
in a global deployment with 45k users and 37k computers.  Ran that way
for 6 years.

Now we've sold off a business unit of a couple thousand users and they
outsourced to a big 3rd party service provider who insisted they go with
an empty root.  I recommended against it, but the sourcer (whose
initials are E.D.S.) claimed the configuration was supported by
Microsoft and they that had run it by Microsoft for approval.

I think what it boils down to is that this is their standard service and
that's that.  The guys I'm working with are quite knowledgeable and good
at what they do, but they're the front line people and not the
deep-thinking architects we find at DEC.

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 7:37 AM
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification

Does anyone have any official documentation as to the justification for
a root place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to
expand on that - they only have 6 DC's now in a single domain - yet the
partner they have chosen is recomending a root place holder with 5 DC's
and then 8 in the child domain (they are NOT even supplying the tin) and
I wanted some decent amo - a little bit stronger than schema and Ent
admin separation.

I know at DEC the concensus was the desire to eliminate and I believe
Guido and Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Root Place Holder justification

[Grillenmeier, Guido]

 I believe many of 
our headaches stem from this past decision (in place before I was here) and 
often ponder making 
 the bold statement 
of considering collapsing them all into a single 
domain.

There 
is nothing wrong with a past decision that was based on the knowledge and 
recommendations available at the time. I've designed and implemented empty root 
forest-models myself and I believe most companies have implemented this model in 
the early days of AD. But with the knowledge we have about this infrastructure 
today, there's hardly a reason to stick to this model.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef 
KazimerSent: Mittwoch, 26. April 2006 17:48To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

I would tend to agree that a single domain is optimal with the current AD and 
infrastructure that is available. Other than 
security, legacy, and most importantly political issues, for most a single 
domain should be considered.

Where I am, we have 3 domains in a single forest, with one being a root 
domain. I believe many of our headaches stem from this past decision 
(in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single 
domain. Though I suspect I would be lynched. :(

We have over 160 sites, and around 150k users within 2 
domains, with the slowest link today around 256k link to 
departmental sites (50 users). 

The security requirements are the same throughout all 
domains, and I believe the 2 domains exist for political reasons that 
fortunately are fading away. Many bad policies and practices grew from one 
decision to keep things seperate.

Of course your companies policies and practices for managing the domain 
globally go a huge way into that consideration. Issues such as account 
provisioning, group management, and replication convergence times could 
impact the business if the infrastructure impact is not understood.

If I had a magic wandI'd wish for a single domain. :) 

Jef

 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 
26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org   
Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is 
thereanactualreasonforit?  
Thereareonlythreereasonstohaveone,imho(cutandpastedfroma 
googlesearch)  
1.Securityrequirementsaredifferent(password,lockout,andKerberos 
policiesmustbeappliedatthedomainlevel). 
2.Tocontrol/limitreplication(butnotetherecommendationsfornumber 
of 
objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, 
the 
domainshouldhavenomorethan100,000users). 
3.Becauseyouinheritamultipledomainsetup. 
 
Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue 
withapastdecisionbutIguessthatdependsupontheimpactto 
operationsandthecomplexityofconsolidation. 
   
-OriginalMessage- 
From:[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris 
Sent:Wednesday,April26,20069:37AM 
To:ActiveDir.org 
Subject:[ActiveDir]RootPlaceHolderjustification 
 
Doesanyonehaveanyofficialdocumentationastothe 
justificationforarootplaceholder,pro'sandcon's? 
 
WhereIam-Ihavestartedatonedomainandcanseeno 
reasontoexpandonthat-theyonlyhave6DC'snowina 
singledomain-yetthepartnertheyhavechosenis 
recomendingarootplaceholderwith5DC'sandthen8inthe 
childdomain(theyareNOTevensupplyingthetin)andI 
wantedsomedecentamo-alittlebitstrongerthanschema 
andEntadminseparation.  
IknowatDECtheconcensuswasthedesiretoeliminateandI 
believeGuidoandWookhavestatedthisforthepasttwoDEC's 
 
Ihavesearchedthislistandcanfindnorelevantarticles. 
 Manythanks  
Regards  Mark 
Listinfo:http://www.activedir.org/List.aspx 
ListFAQ:http://www.activedir.org/ListFAQ.aspx 
Listarchive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 
 
Listinfo:http://www.activedir.org/List.aspx 
ListFAQ:http://www.activedir.org/ListFAQ.aspx 
Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/


Join the next generation of Hotmail and you could win the adventure of a 
lifetime Learn More. 

Re: [ActiveDir] Root Place Holder justification

[Mark Parris]

Thanks Guido,

Mark

-Original Message-
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: Wed, 26 Apr 2006 17:04:39 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

There isn't much official documentation available on this topic and if
you search the - archives you'll see it's been discussed many times.
Fact is, that an empty root typically gives a false sense of security.
For most scenarios you can even argue that is reduces the overall
security of an AD forest. 

Here's a nice list of arguments AGAINST an empty forest root domain from
Paul Rich, Senior Architecture Engineer within Microsoft's internal IT:

Empty root domain summary
- Adds complexity
- Adds up front cost
- Adds ongoing cost
- Lengthens disaster recovery
- Complicates group usage and comprehension
- Has user and application owner impact
- Kerberos cross-realm ticket issue
- Lowers security
- Only use is political and at very high cost 

We could discuss each of the above points and add more detail, but for
most this sums it up quite well. The Lowers security reason mainly
evelves around the Kerberos cross-realm ticket issue, as the status of a
user's account is not checked when a user's Keberos ticket in another
domain is updated = i.e. in a hire/fire scenario, if a user is still
logged onto a box in his proper domain his Kerberos ticket would not get
renewed in his domain, but it would for an existing session to the root
domain. So the user could continue to use resources and grab data from
them (e.g. retrieve all company contacts from a GC in the root domain -
and if he has write access do other damage etc.)

I've even come accross other technical reasons in the meantime that
speak against an empty forest root - this involves trusts between
different forests and the new forest trust type in Win2003. Empty root
domains doesn't make forest trusts any easier - especially for the
end-user.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Mittwoch, 26. April 2006 16:03
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

Mark,

I'm in the same place you are: single forest, single domain, but 30 DCs
in a global deployment with 45k users and 37k computers.  Ran that way
for 6 years.

Now we've sold off a business unit of a couple thousand users and they
outsourced to a big 3rd party service provider who insisted they go with
an empty root.  I recommended against it, but the sourcer (whose
initials are E.D.S.) claimed the configuration was supported by
Microsoft and they that had run it by Microsoft for approval.

I think what it boils down to is that this is their standard service and
that's that.  The guys I'm working with are quite knowledgeable and good
at what they do, but they're the front line people and not the
deep-thinking architects we find at DEC.

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 7:37 AM
To: ActiveDir.org
Subject: [ActiveDir] Root Place Holder justification

Does anyone have any official documentation as to the justification for
a root place holder, pro's and con's ?

Where I am - I have started at one domain and can see no reason to
expand on that - they only have 6 DC's now in a single domain - yet the
partner they have chosen is recomending a root place holder with 5 DC's
and then 8 in the child domain (they are NOT even supplying the tin) and
I wanted some decent amo - a little bit stronger than schema and Ent
admin separation.

I know at DEC the concensus was the desire to eliminate and I believe
Guido and Wook have stated this for the past two DEC's

I have searched this list and can find no relevant articles.

Many thanks

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]   šŠV«r¯yÊý§-Š÷Š¾4™¨¥iËb½çb®Šà

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

Guido,

My thoughts exactly. I always start my complaining with "It was designed with what we knew at the time.butif I could it again today, blah, blah".

I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design.

If only there was the do over button..:)

J


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 17:08:31 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org



 I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making 
 the bold statement of considering collapsing them all into a single domain.

There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model.

/Guido



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Mittwoch, 26. April 2006 17:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered.

Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :(

We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50 users). 

The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate.

Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood.

If I had a magic wandI'd wish for a single domain. :) 

Jef

 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org   Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is thereanactualreasonforit?  Thereareonlythreereasonstohaveone,imho(cutandpastedfroma googlesearch)  1.Securityrequirementsaredifferent(password,lockout,andKerberos policiesmustbeappliedatthedomainlevel). 2.Tocontrol/limitreplication(butnotetherecommendationsfornumber of objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, the domainshouldhavenomorethan100,000users). 3.Becauseyouinheritamultipledomainsetup.  Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue withapastdecisionbutIguessthatdependsupontheimpactto operationsandthecomplexityofconsolidation.-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20069:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothe justificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseeno reasontoexpandonthat-theyonlyhave6DC'snowina singledomain-yetthepartnertheyhavechosenis recomendingarootplaceholderwith5DC'sandthen8inthe childdomain(theyareNOTevensupplyingthetin)andI wantedsomedecentamo-alittlebitstrongerthanschema andEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandI believeGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/


Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

[Myrick, Todd \(NIH/CC/DNA\) [E]]

You all knew I had to weigh in on this
subject.



First some reading on the subject is found
here. I think this is what the initial request for information was
for. You might also want to reference the article on lucents site
she points out for what happens when you remove EA from a child domain, etc.
Good information.

http://redmondmag.com/columns/article.asp?EditorialsID=436



I think all the responses on the list
pretty much cover the business case scenarios really well. I am going to
argue against Empty Roots from a more primitive / narrow minded approach.



See back in 1999/2000 I was a young
Exchange Administrator wanting to do good for my organization. Exchange
5.5 and the eventual migration to Exchange 2000 was our primary driver for
adopting Windows 2000 Active Directory. At the time, our Exchange Organization
supported multiple sites (Remember sites were both administrative and
replication boundaries in Exchange 5.5) and so in order to migrate the existing
exchange 5.5 architecture to Exchange 2000, we would have to prune a lot of the
NT 4 domains, and establish a core set of domains that would support the decentralize
security / administration model of our organization. The design me and my
colleague came up with supported several experimental AD design
constructs to promote ease of resource location, and what we thought at the
time security separation of enterprise roles verses domain and data
administration function. What fueled our desire to adopt some of these constructs
was Microsofts marchitecture that expounded on how
application development could leverage all the standards in AD to centralize management,
etc. So we justified going to an Empty Root design to facilitate the separation
of security functionality and to centralize the core directory service
functions for extended the schema and replication convergence. Politically
we wanted to facilitate collaboration with other operating divisions within our
department, so having a natural domain to house these functions also was
attractive. Fundamentally, though we were an email shop and we needed a
directory service to facilitate the next generation of Exchange. The
design works and is functional, it allows for us to collaborate and incorporate
other entities into our design pretty easily, but operationally it is not
streamlined, the technology has a lot of inherit dependencies, and the service
isnt optimized for the various roles and functions it serves.



My recommendation is to try to identify
what functions you want your directory service to perform, and then stand up ADs
or LDAP directories to facilitate the functions required. With the
inclusion of MIIS in 2003+ in makes a lot more sense these days to design your
security around isolation models than to try and make one big giant AD.
It might seem cool, but the number of problems you will run into down the road,
are greatly compounded when you use the wrong directory for the job.



Todd Myrick 





 











From: Jef Kazimer
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 26, 2006
12:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root
Place Holder justification





Guido,



My
thoughts exactly. I always start my complaining with It was
designed with what we knew at the time.butif I could it again today,
blah, blah.



I
think the decisions that would use this model today will most likely stem from
political and administrative decisions, where as earlier the infrastructure had
a larger impact on such a design.



If
only there was the do over button..:)



J









Subject: RE: [ActiveDir] Root Place
Holder justification
Date: Wed, 26 Apr 2006 17:08:31 +0100
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org

 I believe many of our headaches stem from this past
decision (in place before I was here) and often ponder making 

 the bold statement of considering collapsing them all
into a single domain.









There is nothing wrong with a past decision that was based
on the knowledge and recommendations available at the time. I've designed and
implemented empty root forest-models myself and I believe most companies have
implemented this model in the early days of AD. But with the knowledge we have
about this infrastructure today, there's hardly a reason to stick to this
model.











/Guido















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Jef Kazimer
Sent: Mittwoch, 26. April 2006
17:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root
Place Holder justification

I
would tend to agree that a single domain is optimal with the current AD and
infrastructure that is available. Other than security, legacy, and
most importantly political issues, for most a single domain should be
considered.



Where
I am, we have 3 domains in a single forest, with one being a root
domain. I believe many of our headaches stem from this past
decision (in place before I was here) and often ponder making

RE: [ActiveDir] Root Place Holder justification

[al_maurer]

Jef,



We dont have a root domain because
somebody smarter than I made that decision before I took over. I was convinced
at the time we had made a mistake, but like you have come to the opposite
conclusion.

J



AL





Al Maurer 
Service
Manager, Naming and Authentication Services 
IT
| Information Technology

Agilent
Technologies 
(719)
590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006
9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root
Place Holder justification





Al,



If
you had asked me in the year 2000, I could see issues that would drive a root
domain to anchor multiple domains. I would caution against it now. I
believe MS had the same stance, and now thinks it may not make as much sense as
it once did.



Maybe
they should re-evaluate their service offerings. :) I admit I was wrong
:)



Jef








Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 
 Mark,
 

I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.
 

Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftforapproval.
 

Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.
 
 AL
 
 AlMaurer

ServiceManager,NamingandAuthenticationServices
 IT|InformationTechnology
 AgilentTechnologies
 (719)590-2639;Telnet590-2639
 http://activedirectory.it.agilent.com
 
 -OriginalMessage-

From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris
 Sent:Wednesday,April26,20067:37AM
 To:ActiveDir.org

Subject:[ActiveDir]RootPlaceHolderjustification
 

Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?
 

WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.
 

IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's
 

Ihavesearchedthislistandcanfindnorelevantarticles.
 
 Manythanks
 
 Regards
 
 Mark
 Listinfo:http://www.activedir.org/List.aspx

ListFAQ:http://www.activedir.org/ListFAQ.aspx

Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
 Listinfo:http://www.activedir.org/List.aspx
 ListFAQ:http://www.activedir.org/ListFAQ.aspx

Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/









Join the next generation of Hotmail and you could win the
adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

[Rocky Habeeb]

"Where's the 
harm?"
Don't tell me about economics 
or overhead or other things.
Tell me where the "harm" 
is.
Please.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Root Place Holder justification
  
  Jef,
  
  We dont have a root 
  domain because somebody smarter than I made that decision before I took 
  over. I was convinced at the time we had made a mistake, but like you 
  have come to the opposite conclusion.
  J
  
  AL
  
  
  Al Maurer Service Manager, Naming and 
  Authentication Services IT | Information 
  Technology 
  Agilent Technologies (719) 590-2639; Telnet 
  590-2639 
  http://activedirectory.it.agilent.com 
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jef 
  KazimerSent: Wednesday, 
  April 26, 2006 9:51 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
  Holder justification
  
  Al,
  
  If you had asked me in the year 
  2000, I could see issues that would drive a root domain to anchor multiple 
  domains. I would caution against it now. I believe MS had the same 
  stance, and now thinks it may not make as much sense as it once 
  did.
  
  Maybe they should re-evaluate 
  their service offerings. :) I admit I was wrong 
  :)
  
  Jef
  
  
  
   Subject: RE: [ActiveDir] 
  Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 
  -0600 From: [EMAIL PROTECTED] To: 
  ActiveDir@mail.activedir.org  Mark,  
  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. 
   
  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." 
   
  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. 
   AL  AlMaurer 
  ServiceManager,NamingandAuthenticationServices 
  IT|InformationTechnology 
  AgilentTechnologies 
  (719)590-2639;Telnet590-2639 
  http://activedirectory.it.agilent.com  
  -OriginalMessage- 
  From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris 
  Sent:Wednesday,April26,20067:37AM 
  To:ActiveDir.org 
  Subject:[ActiveDir]RootPlaceHolderjustification 
   
  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? 
   
  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. 
   
  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's 
   
  Ihavesearchedthislistandcanfindnorelevantarticles. 
   Manythanks  Regards  
  Mark 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
  
  
  Join the next generation of 
  Hotmail and you could win the adventure of a lifetime Learn 
More.

RE: [ActiveDir] Root Place Holder justification

[RM]

Title: RE: [ActiveDir] Root Place Holder justification


  
  
I spoke to an MCS engineer on this very topic a while back and he confirmed that Microsoft has gotten away from recommending a dedicated forest root unless there's a compelling reason to have one.  Sorry I can't be more specific RM  On Wed, 26 Apr 2006 12:49:00 -0600, [EMAIL PROTECTED] said:
Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over.  I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.comFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains.  I would caution against it now.  I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :)  I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers.  Ran that way for 6 years.  Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root.  I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval.  I think what it boils down to is that this is their standard service and that's that.  The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC.  AL  Al Maurer  Service Manager, Naming and Authentication Services  IT | Information Technology  Agilent Technologies  (719) 590-2639; Telnet 590-2639  http://activedirectory.it.agilent.com   -Original Message- From:[EMAIL PROTECTED]:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 7:37 AM To: ActiveDir.org Subject: [ActiveDir] Root Place Holder justification  Does anyone have any official documentation as to the justification for a root place holder, pro's and con's ?  Where I am - I have started at one domain and can see no reason to expand on that - they only have 6 DC's now in a single domain - yet the partner they have chosen is recomending a root place holder with 5 DC's and then 8 in the child domain (they are NOT even supplying the tin) and I wanted some decent amo - a little bit stronger than schema and Ent admin separation.  I know at DEC the concensus was the desire to eliminate and I believe Guido and Wook have stated this for the past two DEC's  I have searched this list and can find no relevant articles.  Many thanks  Regards  Mark List info   : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
  

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

My brother I welcome you into RDA :)

Root Domain Anonymous :)

Though, if the business requires the separation it still has it's place today in certain environments. I would just be more adamant at evaluating those business requirements as it relates to the directory.

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 12:49:00 -0600From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

RH,

It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process.
Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals. We had to implement an MIIS system to aggregate the active users from 3domains into a single ADAMinstance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory?

If we had a single domain, this would not be an issue.

I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :(

Jef








From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:03:06 -0400





"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

Re: [ActiveDir] Root Place Holder justification

[Mark Parris]

Dean/Joseph

Anything to add?

Mark

-Original Message-
From: Jef Kazimer [EMAIL PROTECTED]
Date: Wed, 26 Apr 2006 16:15:09 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

RH,
 
 
 
It comes in the management issues.   I currently deal with people creating a 
secondary account in the peer domain because they do not want to bother (or 
understand that they can) to use the existing account.   I think alot of this 
stems from lack of centralized policy and process that was not capable due to 
process. 

 
Also a common problem is multiple partitions.   I deal with many 3rd party 
applications that can only bind to a SINGLE directory partition and cannot 
chase referrals.    We had to implement an MIIS system to aggregate the active 
users from 3 domains into a single ADAM instance so that a very popular 3 
letter application could utilize them for authentication.  This brings into 
it's own problems of duplicate account names since without a secondary process 
AD does not enforce uniqueness on samaccountname in a forest.  So which account 
wins when you have a duplicate and flow it into an aggregation directory?
 
 
 
If we had a single domain, this would not be an issue.
 
 
 
I suppose I am going to give you more gripes than hard facts as to why I think 
it causes problems right now though. :(
 
 
 
Jef
 
 
 
 
 
 
 
 
 
 
 

 
 

 From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification
Date: Wed, 26 Apr 2006 15:03:06 -0400

  .ExternalClass .shape {;}  .ExternalClass p.MsoNormal, .ExternalClass 
li.MsoNormal, .ExternalClass div.MsoNormal 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass a:link, .ExternalClass span.MsoHyperlink 
{color:blue;text-decoration:underline;} .ExternalClass a:visited, 
.ExternalClass span.MsoHyperlinkFollowed 
{color:blue;text-decoration:underline;} .ExternalClass p 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 
{size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} 
Where's the harm? 
Don't tell me about economics or overhead or other things. 
Tell me where the harm is. 
Please. 
  
RH 
_ 
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 26, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

 
 
Jef,
 
 
 
We don’t have a root domain because somebody smarter than I made that decision 
before I took over.  I was convinced at the time we had made a mistake, but 
like you have come to the opposite conclusion.
 
J
 
 
 
AL
 
 
 
 
Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 
Al,
 
 
 
If you had asked me in the year 2000, I could see issues that would drive a 
root domain to anchor multiple domains.  I would caution against it now.  I 
believe MS had the same stance, and now thinks it may not make as much sense as 
it once did.
 
 
 
Maybe they should re-evaluate their service offerings. :)  I admit I was wrong 
:)
 
 
 
Jef
 
 

 
 Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 
 Mark,
 
 I'm in the same place you are: single forest, single domain, but 30 DCs in a global deployment with 45k users and 37k computers.  Ran that way for 6 years.
 
 Now we've sold off a business unit of a couple thousand users and they outsourced to a big 3rd party service provider who insisted they go with an empty root.  I recommended against it, but the sourcer (whose initials are E.D.S.) claimed the configuration was supported by Microsoft and they that had run it by Microsoft for approval.
 
 I think what it boils down to is that this is their standard service and that's that.  The guys I'm working with are quite knowledgeable and good at what they do, but they're the front line people and not the deep-thinking architects we find at DEC.
 
 AL
 
 Al Maurer 
 Service Manager, Naming and Authentication Services 
 IT | Information Technology 
 Agilent Technologies 
 (719) 590-2639; Telnet 590-2639 
 http://activedirectory.it.agilent.com 
 
 -Original Message-
 From:[EMAIL PROTECTED]:[EMAIL PROTECTED]
 Sent: Wednesday, April 26, 2006 7:37 AM
 To: ActiveDir.org
 Subject: [ActiveDir] Root Place Holder justification

RE: [ActiveDir] Root Place Holder justification

[Gil Kirkpatrick]

Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people 
on the list won't have a clue as to what I'm talking about 
anyway...

In any case, how do increased 
operational costs and overhead not qualify as "harm"? I'm confused by your 
question...

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

"Where's the 
harm?"
Don't tell me about economics 
or overhead or other things.
Tell me where the "harm" 
is.
Please.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Root Place Holder justification
  
  Jef,
  
  We dont have a root 
  domain because somebody smarter than I made that decision before I took 
  over. I was convinced at the time we had made a mistake, but like you 
  have come to the opposite conclusion.
  J
  
  AL
  
  
  Al Maurer Service Manager, Naming and 
  Authentication Services IT | Information 
  Technology 
  Agilent Technologies (719) 590-2639; Telnet 
  590-2639 
  http://activedirectory.it.agilent.com 
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jef 
  KazimerSent: Wednesday, 
  April 26, 2006 9:51 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
  Holder justification
  
  Al,
  
  If you had asked me in the year 
  2000, I could see issues that would drive a root domain to anchor multiple 
  domains. I would caution against it now. I believe MS had the same 
  stance, and now thinks it may not make as much sense as it once 
  did.
  
  Maybe they should re-evaluate 
  their service offerings. :) I admit I was wrong 
  :)
  
  Jef
  
  
  
   Subject: RE: [ActiveDir] 
  Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 
  -0600 From: [EMAIL PROTECTED] To: 
  ActiveDir@mail.activedir.org  Mark,  
  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. 
   
  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." 
   
  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. 
   AL  AlMaurer 
  ServiceManager,NamingandAuthenticationServices 
  IT|InformationTechnology 
  AgilentTechnologies 
  (719)590-2639;Telnet590-2639 
  http://activedirectory.it.agilent.com  
  -OriginalMessage- 
  From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris 
  Sent:Wednesday,April26,20067:37AM 
  To:ActiveDir.org 
  Subject:[ActiveDir]RootPlaceHolderjustification 
   
  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? 
   
  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. 
   
  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's 
   
  Ihavesearchedthislistandcanfindnorelevantarticles. 
   Manythanks  Regards  
  Mark 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
  
  
  Join the next generation of 
  Hotmail and you could win the adventure of a lifetime Learn 
More.

RE: [ActiveDir] Root Place Holder justification

[Jef Kazimer]

Gil,

I think he was looking for other reasons besides the obvious ones (More hardware, license, etc.).

It would be interesting to quantify the hidden costs related to administration, data consistency, application integration, security, etc..

But that is a task for a better man than I...

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:26:57 -0700From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org





Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway...

In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question...

-gil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

RE: [ActiveDir] Root Place Holder justification

[joe]

Who? 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, April 26, 2006 6:20 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Root Place Holder justification


Dean/Joseph

Anything to add?

Mark

-Original Message-
From: Jef Kazimer [EMAIL PROTECTED]
Date: Wed, 26 Apr 2006 16:15:09
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

RH,
 
 
 
It comes in the management issues.   I currently deal with people creating a 
secondary account in the peer domain because they do not want to bother (or 
understand that they can) to use the existing account.   I think alot of this 
stems from lack of centralized policy and process that was not capable due to 
process. 

 
Also a common problem is multiple partitions.   I deal with many 3rd party 
applications that can only bind to a SINGLE directory partition and cannot 
chase referrals.We had to implement an MIIS system to aggregate the active 
users from 3 domains into a single ADAM instance so that a very popular 3 
letter application could utilize them for authentication.  This brings into 
it's own problems of duplicate account names since without a secondary process 
AD does not enforce uniqueness on samaccountname in a forest.  So which account 
wins when you have a duplicate and flow it into an aggregation directory?
 
 
 
If we had a single domain, this would not be an issue.
 
 
 
I suppose I am going to give you more gripes than hard facts as to why I think 
it causes problems right now though. :(
 
 
 
Jef
 
 
 
 
 
 
 
 
 
 
 

 
 

 From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification
Date: Wed, 26 Apr 2006 15:03:06 -0400

  .ExternalClass .shape {;}  .ExternalClass p.MsoNormal, .ExternalClass 
li.MsoNormal, .ExternalClass div.MsoNormal 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass a:link, .ExternalClass span.MsoHyperlink 
{color:blue;text-decoration:underline;} .ExternalClass a:visited, 
.ExternalClass span.MsoHyperlinkFollowed 
{color:blue;text-decoration:underline;} .ExternalClass p 
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';} 
.ExternalClass span.EmailStyle18 {font-family:Arial;color:navy;} @page Section1 
{size:8.5in 11.0in;} .ExternalClass div.Section1 {page:Section1;} Where's the 
harm? 
Don't tell me about economics or overhead or other things. 
Tell me where the harm is. 
Please. 
  
RH
_ 
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 26, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification

 
 
Jef,
 
 
 
We don’t have a root domain because somebody smarter than I made that decision 
before I took over.  I was convinced at the time we had made a mistake, but 
like you have come to the opposite conclusion.
 
J
 
 
 
AL
 
 
 
 
Al Maurer
Service Manager, Naming and Authentication Services IT | Information Technology 
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com: http://activedirectory.it.agilent.com/ 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Wednesday, April 26, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Root Place Holder justification
 
 
 
Al,
 
 
 
If you had asked me in the year 2000, I could see issues that would drive a 
root domain to anchor multiple domains.  I would caution against it now.  I 
believe MS had the same stance, and now thinks it may not make as much sense as 
it once did.
 
 
 
Maybe they should re-evaluate their service offerings. :)  I admit I was wrong 
:)
 
 
 
Jef
 
 

 
 Subject: RE: [ActiveDir] Root Place Holder justification
 Date: Wed, 26 Apr 2006 08:03:19 -0600
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 
 Mark,
 
 I'm in the same place you are: single forest, single domain, but 30 DCs in a 
 global deployment with 45k users and 37k computers.  Ran that way for 6 years.
 
 Now we've sold off a business unit of a couple thousand users and they 
 outsourced to a big 3rd party service provider who insisted they go with an 
 empty root.  I recommended against it, but the sourcer (whose initials are 
 E.D.S.) claimed the configuration was supported by Microsoft and they that 
 had run it by Microsoft for approval.
 
 I think what it boils down to is that this is their standard service and 
 that's that.  The guys I'm working with are quite knowledgeable and good at 
 what they do, but they're the front line people and not the deep-thinking 
 architects we find at DEC.
 
 AL
 
 Al Maurer
 Service Manager, Naming and Authentication Services

RE: [ActiveDir] Root Place Holder justification

[joe]

This is quickly becoming one of those religious type argument items. Top
post -vs- bottom post. Universal Groups -vs- Domain Local Groups. Open -vs-
fixed naming standards. Open Source -vs- proprietary. Linux -vs- Windows.
Linux -vs- BSD.  IIS -vs- Apache. MySQL -vs- SQL Server. PHP -vs Perl. Coke
-vs- Pepsi. House -vs- ER. Jennifer Aniston -vs- Angelina Jolie. Cats -vs-
dogs. Kelly Pickler -vs- Katharine McPhee[1]. Empty Root -vs- No Empty Root.

Basically there are valid arguments either way and unless people are willing
to actually discuss the true benefits in an unemotional clear way you end up
with whatever the stronger debater wants for better or worse. 

There are times that I think empty root is a great idea, there are times
when I think it isn't a great idea. I won't recap posts that I have sent
multiple times to the list on this topic. 

Yes, as a general rule MS has backed off the Everyone should do an empty
root but they haven't gone as far as some would like to think of Never do
an empty root - though you may be pressed to find someone who doesn't say
that. 

In your situation as in any other, write down the perceived benefits and
perceived issues and go from there. It should become pretty clear when you
have them up on the whiteboard next to each other.

Adding five empty root DCs to a forest that currently only has 6 DCs would
put me on the offensive pretty fast against whomever was just throwing that
out and I would really make them explain the logic. They may have some good
logic behind it, that just may be what their cookie cutter says. 

In general if you have a single domain, the initial thought should be you
need to prove why you need more. If you have multiple domains then the
argument, IMO, for an empty root is not as hard a sell; again that is IMO,
OMV - as I recently read... In a group of 12 bright people you will have at
least 13 opinions. I am absolutely not saying that I wouldn't do an empty
root if I already have just a single domain, I am saying I would need to sit
down and write out the reasons for and against like I mentioned above. These
are going to vary for companies but people (including myself) have posted
various reasons for this that they have thought through, check the archives.


I am neither for nor against empty roots in the general case. I like to see
what the goals and issues are and work from there. That being said, I don't
dislike them like many have grown to. 

What kinds of issues can you have with empty roots or more generical
multiple domains in a forest? Well one good issue was mentioned... Stupid
applications that can't deal with multiple domains. These usually are ports
from other OSes and directories but people writing code for MSFT products
aren't exempt from this category either. I seem to recall the PlumTree
Software folks having some spectacularly bad ideas around LDAP and AD and
they only ran on MSFT OS servers the last I saw (been a couple of years).
Exchange, if I were to pick an application at complete random, has issues
once the number of domains exceeds the number of domains in their forest
that they appear to test on in their RD lab (i.e. 1). They are getting
better but still aren't there. LCS as we recall from a week or two ago
required Global groups which isn't very multi-domain friendly in many cases
(ask anyone who tries to put dom2\user1 into dom1\domain admins). You will
note that that if you don't do it because of these reasons, it isn't a
failing or a problem in AD, it is your crappy apps forcing you.

As for Guido and Wook, I don't believe either would outright close the book
on whether an empty root should be used or not. They will, however, almost
certainly have different things that will push them in that direction but if
a reason came up that they thought was pretty good, they would say it was
fine as well. 

So, I would ask the nice partner... Why do you want to do it this way? Could
be they are a bit out of touch and may quote the old security boundary
argument which has been thoroughly thrashed out on this list in the past but
some people still don't understand. I personally like my safe harbor (from
domain level GPO or other domain wide issues) thoughts about a root domain,
many tried to take me to task here on the list about it but I still stand
behind that idea. I don't think I would more than double the number of DCs
to do it though unless I was really scared about the people doing ops or
more realistically getting heavy duty access.

  joe


P.S. Top, DLG, fixed, don't care, Windows, BSD, don't care, don't care,
perl, Coke, House, either, cats, (Kat) Katharine definitely - Kelly has a
blowpop for a brain, don't care.



[1] For those outside of the US, this is reference to our current run of the
American Idol TV show. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: