If you are going to have one domain and one domain up until eternity and you don't see your company growing much more then what it is right now then I would go for single domain/forest.
If not, then it's best to prepare for expansion by creating empty root. Security is not the main reason for the empty root. Remember you can be the administrator in the root and it does not necessarily mean you have access to everything (schema master etc). You can place ACL's on objects in AD. In large enterprises owners of the root domain have the responsibility for the entire forest(forest wide replication, schema, etc). It is possible that you will possibly decide in the future, as you install multiple domains, to separate domain responsibly from forest wide functions (for political reasons, etc). -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 19 February 2003 16:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Empty root domain benefits? I'd have to disagree on two of your four points. -Enhanced Security: it is indeed more secure to keep the schema and enterprise admins group in a different domain. The cross-domain security hole is relatively difficult to exploit, and does require physical (or at least interactive) access to a global catalog server. -Longer names: There is no requirement for multiple domain forests to exist in contiguous namespace. In fact, there is no need for them to be related namespaces at all. In fact, it is possible to set the root domain to be root.domain.com and have the production domain named domain.com. The only requisite here is that you have a sufficient knowledge of DNS such that you can manage the DNS namespace. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 9:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Empty root domain benefits? > > > Hi Cliff, > > There are two pros that I am aware of... > > 1. In the case of radical naming hierarchy surgery, e.g., > acquisition of > another company, it provides a convenient place to merge in > the new domains. > > 2. "Enhanced security" for the Enterprise Admins and Schema > Admins groups is > often claimed, but in practice an empty root buys you little > with respect to > security. > > Cons: > > 1. Its not a single domain forest, which is the best of all > possible worlds > when you can do it. > > 2. It makes names longer than the need to; a minor annoyance. > > Unless you have some overriding reason for multiple domains > (multiple sites > and slow WAN links can be an issue), I would stick with a > single domain > forest. It makes life much simpler. > > -gil > > > -----Original Message----- > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 6:01 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Empty root domain benefits? > > > Hello Everyone, > > The simplest domain model is the Single Forest / Single > Domain. I > was thinking of using this model with an "empty" root domain? > Does anyone > have any experience with "empty" root domain? Is it really > beneficial? We > are only a small company with a few hundred users and have 4 > domains in a > multimaster NT domain model. > > What are the pros and cons? > > Thanks, > > Cliff Airhart > Answer Financial Inc. > Senior Systems Administrator - Server Support / eBusiness > [EMAIL PROTECTED] 818.644.4225 We answer to you. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ______________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ______________________________________________ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
