It is a migration similar to any migration. Serious project depending on size and requiring considerable communication. If you have corporate email through say Exchange in the forest that adds even more complexity.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 13, 2004 8:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question is there any painless way to break away from a forest and create your own with little end user discomfort and downtime while still maintaining your own domain structure intact? -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Wow this is like d�j� vu, I swear we went through this whole thought process a month or two ago on here.... The quick summary (no I will not spout the whole thing, it should be in the archives) of what I recall 1. An admin in any domain has the power of being an Enterprise Admin, domains ARE NOT security boundaries. Each child domain should not have different admins because that can result in chaos and possible danger to the entire forest. 2. You can not do DR testing with just a child domain. 3. Either your corp IT has to be involved with your DR testing or you should redesign into multiple forests. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 12, 2004 4:37 PM To: ActiveDir (E-mail) Subject: [ActiveDir] A root dc question My apologies if this seems basic and/or silly. Aside from creating new domains or modifying the schema, why would an admin need access to the root dc of a forest(the schema, domain namming master)? furthermore, why would an admin in a child domain need enterprise admin privilges? I only ask because we had issues with our test DR run wherein we didn't have access to the root domain and/or a test root domain vmware'd on a laptop and it ended miserably. i am in the process of convincing the higher ups in my corp of letting our IT dept have enterpise admin access. i'd like to make a case for us as to why we would need this accont with concrete examples(aside from the DR one). ones that a semi tech aware CIO could relate to. What other compelling reasons would one need these rights for in day to day(or not so day to day) AD administration? we are a multi-domain(14) win2k forest in mixed mode with exchange2k in native mode. Thank you in advance for any assitance. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
