It has become common practice, from what I've seen. In fact, I'm currently administering the second forest that I've built in that exact configuration.
The main rational has always been to protect the "keys to the kingdom" - specifically the schema (via the schema admins group) and the forest structure (via the enterprise admins group). By keeping those two roles in a different domain, it is less likely that a rogue admin (or a stupid one, for that matter) could arbitrarily make changes to the schema or add/delete domains from the forest. It was noted about a year ago, however, that domains aren't strong security boundries - as there are some specific attacks that can be done involving injecting bogus information into global catalogs, which are shared across a forest. In reality, these are still very difficult to perform, and are therefore relatively minor threats. Roger ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 8:01 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Empty root domain benefits? > > > Hello Everyone, > > The simplest domain model is the Single Forest / Single > Domain. I > was thinking of using this model with an "empty" root domain? > Does anyone > have any experience with "empty" root domain? Is it really > beneficial? We > are only a small company with a few hundred users and have 4 > domains in a > multimaster NT domain model. > > What are the pros and cons? > > Thanks, > > Cliff Airhart > Answer Financial Inc. > Senior Systems Administrator - Server Support / eBusiness > [EMAIL PROTECTED] > 818.644.4225 > We answer to you. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
