See FAQ 15 at http://www.activedir.org/FAQ.htm
See also Table 8 at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp Microsoft lists the following possible reasons for an empty forest root. ******************** Fewer administrators can make forest-wide changes Limiting the forest root domain administrative membership reduces the likelihood that an administrative error will impact the entire forest. Easily replicated for forest backup A small root domain can be easily replicated anywhere on your network to provide protection against geographically centered catastrophes. Never becomes obsolete You can never retire the root domain, even if your organization changes. A dedicated root domain never becomes obsolete because it functions solely as the forest root. Ownership easily transferred Transferring ownership of the root domain to transfer forest ownership does not involve migrating production data or resources. ************************ Another possible advantage is that you can set a stronger password policy for any accounts held in the root domain. Like Gil, I don't find any of these reasons particularly compelling. Probably the biggest downside is the additional cost of implementing and maintaining an extra domain. Tony ---------- Original Message ---------------------------------- From: Gil Kirkpatrick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 18 Feb 2003 19:14:38 -0700 Hi Cliff, There are two pros that I am aware of... 1. In the case of radical naming hierarchy surgery, e.g., acquisition of another company, it provides a convenient place to merge in the new domains. 2. "Enhanced security" for the Enterprise Admins and Schema Admins groups is often claimed, but in practice an empty root buys you little with respect to security. Cons: 1. Its not a single domain forest, which is the best of all possible worlds when you can do it. 2. It makes names longer than the need to; a minor annoyance. Unless you have some overriding reason for multiple domains (multiple sites and slow WAN links can be an issue), I would stick with a single domain forest. It makes life much simpler. -gil -----Original Message----- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Empty root domain benefits? Hello Everyone, The simplest domain model is the Single Forest / Single Domain. I was thinking of using this model with an "empty" root domain? Does anyone have any experience with "empty" root domain? Is it really beneficial? We are only a small company with a few hundred users and have 4 domains in a multimaster NT domain model. What are the pros and cons? Thanks, Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
