I'd have to disagree on two of your four points. -Enhanced Security: it is indeed more secure to keep the schema and enterprise admins group in a different domain. The cross-domain security hole is relatively difficult to exploit, and does require physical (or at least interactive) access to a global catalog server.
-Longer names: There is no requirement for multiple domain forests to exist in contiguous namespace. In fact, there is no need for them to be related namespaces at all. In fact, it is possible to set the root domain to be root.domain.com and have the production domain named domain.com. The only requisite here is that you have a sufficient knowledge of DNS such that you can manage the DNS namespace. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 9:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Empty root domain benefits? > > > Hi Cliff, > > There are two pros that I am aware of... > > 1. In the case of radical naming hierarchy surgery, e.g., > acquisition of > another company, it provides a convenient place to merge in > the new domains. > > 2. "Enhanced security" for the Enterprise Admins and Schema > Admins groups is > often claimed, but in practice an empty root buys you little > with respect to > security. > > Cons: > > 1. Its not a single domain forest, which is the best of all > possible worlds > when you can do it. > > 2. It makes names longer than the need to; a minor annoyance. > > Unless you have some overriding reason for multiple domains > (multiple sites > and slow WAN links can be an issue), I would stick with a > single domain > forest. It makes life much simpler. > > -gil > > > -----Original Message----- > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 6:01 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Empty root domain benefits? > > > Hello Everyone, > > The simplest domain model is the Single Forest / Single > Domain. I > was thinking of using this model with an "empty" root domain? > Does anyone > have any experience with "empty" root domain? Is it really > beneficial? We > are only a small company with a few hundred users and have 4 > domains in a > multimaster NT domain model. > > What are the pros and cons? > > Thanks, > > Cliff Airhart > Answer Financial Inc. > Senior Systems Administrator - Server Support / eBusiness > [EMAIL PROTECTED] 818.644.4225 We answer to you. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
