It's more of an organizational policy decision than anything else. These
points might help you make your decision:
* The schema is forest-wide.
* There is only one Enterprise Administrator and one Schema Administrator
per forest.
* Even though most of the AD is multi-master, the FSMO roles aren't. The PDC
role owner is responsible for password change replication, and there is one
per forest.
* Within a forest, trusts are Kerberos, bi-directional, transitive, and
automatic. Between forests, trusts are NTLM, at the roots only, and are
manual (like NT4).
I'm a fan of simple directory implementation. If the politics in your
organization allow it, I'd recommend a single forest with a separate tree
for the HQ and each of the subs. Each sub is free to choose its own domain
admins. Since the trusts are automatic, you don't have to maintain them. You
can, however, break some trusts if you want to.
But: if each sub expects to make schema changes and they don't want to
coordinate those changes with the other subs, then use multiple forests. If
your subs don't trust those in the HQ who would carry the enterprise admin
and schema admin roles, then use multiple forests. If your WAN links between
your subs and the HQ are really bad and you're worried about password
changes not getting replicated, then use multiple forests.
Let me know if you have more questions. Also, there are a couple books we
publish on the AD. "Active Directory Technical Reference" has some good info
on AD design choices and also has the best description of the process
machines use to find domain controllers. "Building Enterprise Active
Directory Services" has detailed information on replication and logon
traffic, which is great info for diagnosing problems.
_______________________________________________________
Steve Riley
Microsoft Communications Consulting in Denver, Colorado
[EMAIL PROTECTED]
+1 303 521-4129 (mobile)
www.microsoft.com/isn/
Applying computer technology is simply finding the right wrench to pound in
the correct screw.
-----Original Message-----
From: avishver [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 22, 2000 11:52 AM
To: [EMAIL PROTECTED]
Subject: WIN2000 AD
Hello,
Our organization is combined from headquarters and subsidiaries which are
quite
autonomous.
The operating system is win2000 and now we are trying to
design the Active Directory (AD) structure.
One idea is to have the whole organization inside one forest so that every
subsidiary is a different tree.
Another idea is to establish a different forest for every subsidiary.
Some of us feels that establishing one big forest is danger because there
is no tight security control over the subsidiaries and, yet, this is AD
v.1.0.
What do you think ?
Thanks
Avi Shvartz
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
