Linton is right. There are 3 partitions in Active Directory. The Domain Naming Partition, the Configuration Partition and the Schema Partition. The Schema and the Configuration Partitions are forest-wide and the Domain Naming Partition is domain-wide. We work with several developers also testing Exchange 2000 and we would NEVER let them do their EX2K development in our productive AD forest. They need a development forest of their own. If it needs to reflect the configuration of the production AD forest, you might consider a synchronization tool such as the one offered by Discus Data. See www.discusdata.com.
-----Original Message----- From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 9:31 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Development Domain As developers, they will likely toy with the idea of extending the schema to suit their purposes. The schema is also forest wide, and changes can not be backed out. For this reason, I'd highly recommend a separate forest for use as their sandbox. Linton -----Original Message----- From: Neil Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 10:25 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Development Domain Andy, In the situation you describe your 'evil beasts' could only effect and damage the 'Configuration' partition in AD. Remember - this is the only common partition in AD that is spread across a whole forest. Corruption of a child domain would be limited to it's own objects and policies The chances of them adding objects or corrupting the configuration partition are remote, most likely cause would be if you delegate rights to this, or were 'unfortunate' enough to give them Enterprise Admin! hth Neil ----- Original Message ----- From: "Andy Grafton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 3:03 PM Subject: [ActiveDir] Development Domain We have Developers. They are Evil Beasts who like to mangle anything they can. They can kill any system with one line of code, from 50 paces, at the most unfortunate time imagineable. Our corporate domain (say co.int) is a beautiful Active Directory thing with a single root and sites spread across Scandinavia. The Evil Beasts have their own, separate NT4 domains which they persecute - one on each site. They don't develop in the corporate domain. Not that we know of... Now they are howling for Exchange 2000, live Active Directory with different sites, the ability to test their code against MS LDAP rather than faithful Unix. To encourage the sharing of resources between sites we shall set up an AD domain just for them. The question has arisen: Do we give them their own domain, with separate root (say dev.int), or give them a child domain in our corporate tree (say dev.co.int)? As far as I am aware, there is one Exchange Organisation and one AD database per tree. If the developers in dev.co.int kill something fundamental [not just a server in the child domain], there will be an impact on the parent domain co.int. Is this correct? I'm all for making them a separate root from a keep-their-hands-off-my-infrastructure prespective, but colleagues argue that we will be better served by and integrated with the corporate domain (where they are logging in, most often) if we go with the parent-child scenario. Does anyone out there have experience of this sort of thing? Are parent and child domains separated enough that the corruption of a child domain would not affect the parent? As I write this, I feel that I already know the answer, but I have to be sure before I argue my point... All the best, Andy List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
