Well the impact is that all uni group membership changes replicate to every GC. If you’ve got concerns around WAN utilization, availability, latency, etc., then this could be worth looking at. In quite a lot of scenarios, the WAN issues that existed circa Windows 2000 don’t exist anymore which makes this a less interesting discussion point. Without knowing about your customer’s environment and scale it’s hard to say.
I would say that it’s highly unlikely that I would design a new multi-domain forest except for some pretty isolated and specific design requirements these days. Thanks, Brian Desmond [email protected] w – 312.625.1438 | c – 312.731.3132 From: Lora Cates [mailto:[email protected]] Sent: Thursday, April 12, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Domain local vs. global vs. universal I too am looking into this for a coming migration I've been asked to design for a customer. What's the impact to GC's by making everything Universal Groups? Especially in a multi domain, multi forest environment? -lc ________________________________ From: Brian Desmond <[email protected]<mailto:[email protected]>> To: NT System Admin Issues <[email protected]<mailto:[email protected]>> Sent: Thursday, April 12, 2012 12:02 PM Subject: RE: Domain local vs. global vs. universal In a single domain forest (or even many multi-domain domain forests today), I would just do all uni groups. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w – 312.625.1438 | c – 312.731.3132 From: David Lum [mailto:[email protected]] Sent: Thursday, April 12, 2012 11:28 AM To: NT System Admin Issues Subject: Domain local vs. global vs. universal Today I found a global group in my AD (created by an SE that wasn’t me), but for this function I needed to add a domain local group to it and for course, that’s not possible. Someplace I heard in AD pretty much every group you use should be domain local unless it’s used for Exchange in which case you use Universal. All groups I create are domain local and it simply works, but I know that doesn’t mean it’s right. Before sending a note to the SE team on this I wanted to get a consensus from you guys. Comments? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
