We have a similar setup to you and are in the process of migrating 150 or so worldwide NT domains to a single AD domain (plus empty forest root). All the user and workstation accounts are migrated and we are just in the process of sorting out the servers, doing security translation and domain decommissioning.
We have a follow-the-sun approach for AD management. Domain Admin accounts are tightly controlled and limited to a few people. Everything else is delegated. So far we haven't come across issues with European (or other) laws. If you think you might have issues then get your legal people to give you a clear steer well before you finalise you design. And bear in mind that a domain is not a security boundary. If your offices in other countries require different security arrangements then you are likely to be looking at separate forests. The most important thing is to work out a good delegation model early on. Assign accounts only the (bare minimum) permissions they need to carry out their functions and no more. Have a look at Microsoft's delegation whitepaper: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en Also ensure you have agreed global naming conventions for everything (users, computers, printers, groups, etc.) and try to find methods to enforce standardisation. Oh, and a clear group concept is useful too. Tony ---------- Original Message ---------------------------------- Wrom: RNVWWCUFPEGAUTFJMVRESKPNKMBIPB Reply-To: [EMAIL PROTECTED] Date: Wed, 28 Jan 2004 18:40:01 -0600 This is a question for the admins out there that work for companies with users and domains world-wide..... We have been running Active Directory for two and a half years here at RockwellCollins on Windows 2000. We have an empty root domain and basically one large domestic domain serving around 15000 active users. We are in the middle of a project to bring our international domains up to Active Directory as well with several due to roll to Windows 2003 soon. There are seven international domains ranging from 40 users to 700 users, each in a different country. The plan is to join all the domains into this one, existing forest. The problem would be due to export compliance and some European laws still being worked, the potential need to lock Enterprise Admins out of any of the foreign domains. There currently are only two of us that are Enterprise admins due to the presence of that empty root and some good control when we moved to Active Directory. How do other companies deal with international domains in the same forest? Are we moving down the wrong road trying to consolidate into one forest? To add to that, management is exploring the potential of a 'follow the sun' support where domain admins from all the domains would be allowed administrator access between domains, that assumes we get thru the export compliance issues that seem to be looming ahead of us. Any thoughts or best practices? Thanks Mark Hocraffer RockwellCollins List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
