> For example in my environment (public school) I could make a case that > Teachers need a strong password policy and a quick lockout while the > students do not (and should not because they typo passwords so often). > We don't do that and only have a single domain but it is a valid > example.
Been down that exact road before a few times. Ended up making the kids rough it out and learn how to have a real password, might as well learn sooner or later you know. Your website says you have about as many area residents as I do employees too. :) MCS pitched this client's empty root and two child domain model that was partially an internal political compromise ... there's no real technical value other than I have a lot more hardware to worry about on any given day. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Kennedy, Jim > Sent: Wednesday, April 26, 2006 10:44 AM > To: [email protected] > Subject: RE: [ActiveDir] Root Place Holder justification > > > I view number 1 security issues more at the GPO level than the resource > level. Password and lockout policies on accounts. > > For example in my environment (public school) I could make a case that > Teachers need a strong password policy and a quick lockout while the > students do not (and should not because they typo passwords so often). > We don't do that and only have a single domain but it is a valid > example. > > I could only get the above with teachers in one domain and students in > another. But that is a case for two domains, not the empty root domain > that it seems the OP is being pushed towards. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade > > Sent: Wednesday, April 26, 2006 10:29 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Root Place Holder justification > > > > > > > > Number "1" of these really drive me nuts and at this point I usually > > start shouting. As domains do NOT limit resource access, i.e. users > in > > Domain "A" can access resources in domain "B" (In fact that's the > > usual reason for have trusts between domains) and together way round, > > how can you justify different Security Requirments. They are in > effect > > both securing the same objects. > > > > Number "2" tends to become irrelevant if you have Exchange because > > that stuffs everything back into the GC that the AD designers took > > out, and you really needs GCs everywhere. > > > > Number "3" => Is a good reason to start rationalizing. > > > > Having said that when I worked for Compaq I produced a number of > > designs with an Empty Root and as others have said, these were always > > passed by both Microsoft and Anderson Consulting as they were then. > > Personally I would like to see the business benefit that all those > > extra DC's deliver. (That is business benefit to the customer not to > > the server supplier and Microsoft). > > > > Dave. > > > > P.S. Please not the above are my personal views and not those of > > Stockport Council.. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim > > Sent: 26 April 2006 14:56 > > To: [email protected] > > Subject: RE: [ActiveDir] Root Place Holder justification > > > > > > Your subject is your answer. They need to justify a root domain. Is > > there an actual reason for it? > > > > There are only three reasons to have one, imho....(cut and pasted > from > > a google search) > > > > 1. Security requirements are different (password, lockout, and > > Kerberos policies must be applied at the domain level). > > 2. To control/limit replication (but note the recommendations for > > number of objects in a domain with slow links - if the slowest link > is > > 56 kbps, the domain should have no more than 100,000 users). > > 3. Because you inherit a multiple domain setup. > > > > I question number three myself. I would rather clean it up than > > continue with a past decision but I guess that depends upon the > impact > > to operations and the complexity of consolidation. > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark > Parris > > > Sent: Wednesday, April 26, 2006 9:37 AM > > > To: ActiveDir.org > > > Subject: [ActiveDir] Root Place Holder justification > > > > > > Does anyone have any official documentation as to the justification > > > for a root place holder, pro's and con's ? > > > > > > Where I am - I have started at one domain and can see no reason to > > > expand on that - they only have 6 DC's now in a single domain - yet > > > the partner they have chosen is recomending a root place > > holder with 5 > > > > > DC's and then 8 in the child domain (they are NOT even supplying > the > > > tin) and I wanted some decent amo - a little bit stronger > > than schema > > > and Ent admin separation. > > > > > > I know at DEC the concensus was the desire to eliminate and > > I believe > > > Guido and Wook have stated this for the past two DEC's > > > > > > I have searched this list and can find no relevant articles. > > > > > > Many thanks > > > > > > Regards > > > > > > Mark > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. As a public body, the Council may be required to > > disclose this email, or any response to it, under the Freedom of > > Information Act 2000, unless the information in it is covered by one > > of the exemptions in the Act. > > > > If you receive this email in error please notify Stockport e-Services > > via [EMAIL PROTECTED] and then permanently remove it from > > your system. > > > > Thank you. > > > > http://www.stockport.gov.uk > > > ********************************************************************** > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
