Number "1" of these really drive me nuts and at this point I usually start shouting. As domains do NOT limit resource access, i.e. users in Domain "A" can access resources in domain "B" (In fact that's the usual reason for have trusts between domains) and together way round, how can you justify different Security Requirments. They are in effect both securing the same objects.
Number "2" tends to become irrelevant if you have Exchange because that stuffs everything back into the GC that the AD designers took out, and you really needs GCs everywhere. Number "3" => Is a good reason to start rationalizing. Having said that when I worked for Compaq I produced a number of designs with an Empty Root and as others have said, these were always passed by both Microsoft and Anderson Consulting as they were then. Personally I would like to see the business benefit that all those extra DC's deliver. (That is business benefit to the customer not to the server supplier and Microsoft). Dave. P.S. Please not the above are my personal views and not those of Stockport Council.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 14:56 To: [email protected] Subject: RE: [ActiveDir] Root Place Holder justification Your subject is your answer. They need to justify a root domain. Is there an actual reason for it? There are only three reasons to have one, imho....(cut and pasted from a google search) 1. Security requirements are different (password, lockout, and Kerberos policies must be applied at the domain level). 2. To control/limit replication (but note the recommendations for number of objects in a domain with slow links - if the slowest link is 56 kbps, the domain should have no more than 100,000 users). 3. Because you inherit a multiple domain setup. I question number three myself. I would rather clean it up than continue with a past decision but I guess that depends upon the impact to operations and the complexity of consolidation. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Wednesday, April 26, 2006 9:37 AM > To: ActiveDir.org > Subject: [ActiveDir] Root Place Holder justification > > Does anyone have any official documentation as to the justification > for a root place holder, pro's and con's ? > > Where I am - I have started at one domain and can see no reason to > expand on that - they only have 6 DC's now in a single domain - yet > the partner they have chosen is recomending a root place holder with 5 > DC's and then 8 in the child domain (they are NOT even supplying the > tin) and I wanted some decent amo - a little bit stronger than schema > and Ent admin separation. > > I know at DEC the concensus was the desire to eliminate and I believe > Guido and Wook have stated this for the past two DEC's > > I have searched this list and can find no relevant articles. > > Many thanks > > Regards > > Mark > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
