Hi Eddie
For all practical purposes, a domain is a replication and authentication
boundary and potentially an administration boundary and an OU is an
administrative boundary.. Whereever I authenticate, I need to talk to a DC
from my domain. All the DCs in my domain need to replicate the entire
domain structure between them. It can also be used as an administrative
boundary or GPO boundary.
An OU allows you to effectively control delegation and GPO application.
>From the security standpoint, OUs may be a bit better - I can give my IT
people rights to the OU and the GPO and it would be difficult for them to
elevate those rights to be able to play with replication settings, DNS
settings, Default domain policies, or anything at the top level. If they
have physical access to a domain controller however they will be able to do
that anyways. Single domain also allows you to dicated the password policy
- since it can only be set at the domain level everybody will get the exact
same policy for password length, complexity, etc. You can still dictate
this with multiple domains but it makes monitoring it for changes more
difficult.
Key decision factors - if you need multiple password policies, you need
multiple domains. If you have serious bandwidth issues between locations
and a large number of changes in each location you should consider separate
domains. If your IT people are likely to try to figure out how far they
can go and what they can do to elevate their rights, OUs with strict
delegation settings and no physical access to a DC or a backup device for
the DC will help. If you have limited budget for things such as backup
services and such single domain may be worth considering as well (backups
for example could be done in 3 locations for a single domain with offsite
data storage at all three and you would be pretty much able to recover from
anything, whereas 27 domains would require a DC backup at each location.
In our enterprise we use a domain for each region with up to 100 separate
OUs for the regional locations (possibly more - I have never counted).
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | "Eddie Greene" |
| | <[EMAIL PROTECTED]>|
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 05/16/2005 12:39 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: <[email protected]>
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: [ActiveDir]
|
>------------------------------------------------------------------------------------------------------------------------------|
We have not rolled out AD yet and are banging our heads against the wall
figuring out which way to go. We have 24 Schools 1 Main office, 1
Maintenance shop, 1 Bus Garage. would it be best for use to roll out a
single domain or 27 domains in our forest.
it is not important for our users to be able to go to other locations and
log into the system. It would be nice to be able to replicate a folder
with
all the schools that contains programs you never have when you need them
(i.e. Adobe).
I haven't got a clear understanding of Domains vs. OUs. One way I read it
would be best for each school to be a domain and in another reading I think
that each school just needs to be their own OU.
any help would be greatly appreciated
Eddie
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
