You should also not think too much of the "security" benefits you get with a dedicated root - they slightly enhance operational security (i.e. not letting other domain admins easily fool around with forest-config and schema changes etc.), but do not enhance system security (i.e. they don't hinder a rogue child-domain administrator getting change-access to the config-container and to the schema). The separate root-domain USED to be a best practice to protect the schema, but this is no longer true (after people understood how AD security really works) => not the DOMAIN, but the FOREST is the security boundary in AD (this is true for both Win2k as well as Win2k3) => the stronger PW policy of a root domain will not hinder a child-Domain Admin with a simpler PW policy to break into the root, if he wants to.
In a smaller environment like the one Cliff is mentioning, you'll likely only have a few Domain Admins which you highly trust - you will be able to delegate most of the everyday tasks to non-Domain Admins (normal users, granted special permission on the OU level in AD - also referred to as DATA Admins). The few Domain Admins are also your best candidates for Enterprise/Schema Admins in your environment, which doesn't mean that they are allowed to do what they want whenever they want. These so-called Service Admins should be highly trusted and thus you will not gain any additional operational security by adding a separate root-domain. As a result, I would recommend implementing a single-domain forest and saving yourself some of the hassle with managing multiple domains (and you can always add trusts to this forest to allow integration with a newly merged company etc.) /Guido -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 19. Februar 2003 09:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Empty root domain benefits? See FAQ 15 at http://www.activedir.org/FAQ.htm See also Table 8 at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/plan/bpaddsgn.asp Microsoft lists the following possible reasons for an empty forest root. ******************** Fewer administrators can make forest-wide changes Limiting the forest root domain administrative membership reduces the likelihood that an administrative error will impact the entire forest. Easily replicated for forest backup A small root domain can be easily replicated anywhere on your network to provide protection against geographically centered catastrophes. Never becomes obsolete You can never retire the root domain, even if your organization changes. A dedicated root domain never becomes obsolete because it functions solely as the forest root. Ownership easily transferred Transferring ownership of the root domain to transfer forest ownership does not involve migrating production data or resources. ************************ Another possible advantage is that you can set a stronger password policy for any accounts held in the root domain. Like Gil, I don't find any of these reasons particularly compelling. Probably the biggest downside is the additional cost of implementing and maintaining an extra domain. Tony ---------- Original Message ---------------------------------- From: Gil Kirkpatrick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 18 Feb 2003 19:14:38 -0700 Hi Cliff, There are two pros that I am aware of... 1. In the case of radical naming hierarchy surgery, e.g., acquisition of another company, it provides a convenient place to merge in the new domains. 2. "Enhanced security" for the Enterprise Admins and Schema Admins groups is often claimed, but in practice an empty root buys you little with respect to security. Cons: 1. Its not a single domain forest, which is the best of all possible worlds when you can do it. 2. It makes names longer than the need to; a minor annoyance. Unless you have some overriding reason for multiple domains (multiple sites and slow WAN links can be an issue), I would stick with a single domain forest. It makes life much simpler. -gil -----Original Message----- From: Clifford Airhart [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 6:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Empty root domain benefits? Hello Everyone, The simplest domain model is the Single Forest / Single Domain. I was thinking of using this model with an "empty" root domain? Does anyone have any experience with "empty" root domain? Is it really beneficial? We are only a small company with a few hundred users and have 4 domains in a multimaster NT domain model. What are the pros and cons? Thanks, Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
