RE: [ActiveDir] OU Delegation

[al_maurer]

Boy, I just had a consultant recommend an empty root “as best practice” for a divestiture we’re doing.  Like Gil and Joe, I really don’t see the benefit (nor could the consultant name anything specifically).   We have a single domain and delegate OU rights based basically on an administrative team’s need to manage a group of resources, typically computers.  Users, groups and Exchange are managed centrally.  Moving things around within one domain is a whole lot easier than among domains.   AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 12, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation   As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains.   For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation.   On the other hand, the ongoing operational cost of a two domain forest is considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains.   My general recommendation is to stick with a single domain if you can, and add additional domains if you need to for password policy or controlling replication traffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small.   But, "it depends".   -gil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :)   What is recommended? Whatever is best for the customer of course.   I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive.   I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at.   We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, January 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one.  What’s recommended?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation   You want to look at a couple of main points   1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to.   Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning.         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, January 11, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU Delegation We’re in the process of consolidating 21 child domains into just one and one root.  We want to separate the divisions (domains) into different OUs.  Is there a guide or best practice out there on delegating admin permissions on OUs?  Also, we’ve got Exchange permissions to deal with too.   Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469   __________________________________ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.