I believe its in some of Microsoft's docs. The biggest reason to do it is to be able to protect the Enterprise Admins and Schema Admins groups. Any domain admin in the domain which houses those two groups could add themselves to the groups. Therefore, if you restrict who's in that domain to begin with, you're able to keep people from adding themselves.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Pelle, Joe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 9:05 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons > > > Roger, > > Do you - Or anyone reading this have any good documentation > on the empty > root concept? > > Joe Pelle > Systems Administrator > Information Technology > Valassis / Targeted Print & Media Solutions > 35955 Schoolcraft Rd. Livonia, MI 48150 > Tel 734.632.3753 Fax 734.632.6240 > [EMAIL PROTECTED] > http://www.valassis.com/ > > This message may have included proprietary or protected > information. This > message and the information contained herein are not to be further > communicated without my express written consent. > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 9:00 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Back to Basics - Design Pros and Cons > > You're really looking at what I'd call a consulting question > - there are too > many factors to be able to give this any sort of justice via > an email forum. > That being said, here are some thoughts. > > Start with defining the levels of separation and security between your > different classes of users, as well as determining what (if > any) resources > are expected to be available, and which classes of users need > access to them > (ie computer labs, etc). > > Define the administration policies for the different classes > of users - are > the student accounts managed by different people than staff, etc? > > Unless you have very serious issues with the trustworthiness > (or they're > just plain unruly) of the administrators for student > accounts, I don't see a > lot of reason to create a multiple forest design, especially > if there are > many resources that have to be shared between the students > and faculty. The > design will flow from how well you define your user classes. > The better you > understand the requirements for interaction and > administration, the easier > it will be to develop a design that will suit your institution. > > After all that, my first idea would be a 3 domain forest - empty root, > faculty domain and student domain. > > Multiple forests are possible, and in some cases preferable, > but they are a > significant overhead, IMO. > > Roger > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Wohlgehagen, Max W > > [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 10, 2002 8:20 PM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] Back to Basics - Design Pros and Cons > > > > > > There is so much material out there on AD now it is almost > > scary [in many ways it is not too dissimilar to NDS 'cepting > > the DNS component] My problem is design for a new network, > > being in a school we have the luxury of starting from scratch > > without business fallout problems. We are multi-campus and > > have a fairly substantial network with an 11MB "Spread > > Spectrum" Microwave link between campuses. I am a big fan of > > the KISS principle but am stuck in deciding between multiple > > trees or a single tree with many sites, both concepts have > > advantages. We do not need to implement a Forrest structure > > as our DNS is set in concrete. We have the following > > elements: Campus1, Campus2, Students1, Students2, Staff1, > > Staff2 ... or OrganisationAll, StaffAll, StudentsAll. > > Obviously there are sub components of these elements as well. > > The main concern is to have the most useful GPO structure > > without too much complexity. Does anyone have any experience > > in setting up this type of AD. Any ideas on multiple domains > > versus single domain many sites?? Help, opinions, comments, > > ideas all welcome. Thanks. > > > > Max Wohlgehagen > > TSI - Rowville > > "Of all the things I've lost, it's my mind I miss the most." > > <<Wohlgehagen, Max (E-mail).vcf>> > > > > > > > > ************************************************************** > > ***************** > > Important - This email and any attachments may be > > confidential. If received in error, please contact us and > > delete all copies. Before opening or using attachments check > > them for viruses and defects. Regardless of any loss, damage > > or consequence, whether caused by the negligence of the > > sender or not, resulting directly or indirectly from the use > > of any attached files our liability is limited to resupplying > > any affected attachments. Any representations or opinions > > expressed are those of the individual sender, and not > > necessarily those of the Department of Education & Training. > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
