>From the Microsoft Active Directory Design Course #1561 (paraphrased) Use multiple forests ONLY if a) you need a separate schema for each forest! b) business needs necessitate Use Multiple trees in a single forest ONLY if a) need different namespaces (active directory namespace, not internet) b) business needs necessitate Use Multiple domains ONLY if a) you want different password policies b) you want to use different certificate services c) business needs necessitate
Otherwise, use a single domain (obviously the "business needs necessitate" is there for when the non-tech folks win the argument at the board meeting) Tom Gray, Network Engineer All Kinds of Minds & The Center for Development and Learning University of North Carolina at Chapel Hill Internet: [EMAIL PROTECTED] AT&T Net: (919)960-8888 -----Original Message----- From: Darren Sykes [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help..... The 'most important issue' will surely depend on the company for which the AD is being designed. For example, the ability to set different password policies may be of paramount importance for some companies, and the replication traffic generated my not be an issue in a relatively static environment. Another couple of things that I think should be considered: 1) Server consolidation. In most cases, less domains will require less hardware (because of the IM/GC incompatibility etc etc). 2) Some applications work better in a single domain environment, such as Exchange 2000. From experience, Microsoft usually recommend one domain, unless you can explicitly think of reasons that would prevent that design 3) Non technical issues; company politics may dictate that multiple domains exist, regardless of technical suitability. 4) The reliance on certain server roles in each domain. For example, in a large single domain environment, there will be a greater reliance on the PDC emulator for legacy applications that use API's to use the 'PDC'. I'm sure there are loads more, which others will soon point out! Darren. -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 16:31 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Help..... I think Rick has hit the main points. From my POV, the most important issue is being able to constrain replication if you use multiple domains. If you have a smallish environment and replication traffic is not going to be an issue, stick with a single domain, or at most an empty root with a single subdomain. -gil -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 8:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help..... Rich, Loaded question. I've got a few minutes before heading off to bed to do some reading, but I think you'll get more than enough response to get a full view. A few benefits (I suggest someone fill in some of the drawbacks, too) 1. Separation of Schema and Enterprise administrator from rest of domain structure, providing some degree of protection for key and sensitive entities from the 'work' domains. 2. Use of a root domain provides for easy expansion and acquisition by adding a domain below the root. 3. Provide for replication boundary of domain related data, thereby reducing unnecessary traffic because domains do not replicate to each other. 4. Create a separation of function or security based on password, account lockout properties. (Do not in any way confuse a domain in Windows 2000 to a domain in Windows NT 4.0. Transitive trusts are automatically created between domains in a forest. A forest is more synonomous to a Windows NT 4.0 domain when viewed from a autonomous security context) Hope this helps - and gets the discussion going.... Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Johnson, Richard (NY Int) > Sent: Thursday, September 26, 2002 10:01 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Help..... > > > Can someone outline the benefits of having a single forest > with multiple domains as opposed to a single domain. > > > Thanks, > > > Rich > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ******************************************************************************************************** This e-mail is from Energis Communications Ltd, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
