Not according to Jason Fossen, who led the "Securing Windows" track at the SANS Institute conference in New Orleans this past January. In his opinion (also supported by some recent MS articles that he cited), the "empty root domain" approach is unnecessary, and a waste of hardware and resources. He points out that a lot of time and effort goes into protecting a few Domain Controllers, while all the really important stuff is down in the so-called "lower level" domains. He says why not put the effort into protecting the important stuff ?
As a result of my attending his session, I changed my AD design, and have now gone to a single AD Domain, combining one NT 4 Accounts Domain and ten NT 4 "Trusting" Resource Domains, and handled the whole thing with OUs within a single domain. It also makes life a LOT easier if you decide to move objects (users, computers, etc) around, since it is just drag-and-drop between OUs in a domain Cheers Bud Dawson Local 2132 Windows System Administrator, MCSE 2000 [EMAIL PROTECTED] -----Original Message----- From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] Sent: June 26, 2003 2:45 PM To: NT 2000 Discussions Subject: Empty root domain in AD Is an empty root domain still recommended even for small (<100 users) single domain situations? Robert G ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
