Cool, thanks! I'll be sure to take a look at the activedir.org site. -lc
>________________________________ > From: "Free, Bob" <[email protected]> >To: NT System Admin Issues <[email protected]> >Sent: Thursday, April 12, 2012 3:58 PM >Subject: RE: Domain local vs. global vs. universal > > > >Lora meet Brian Desmond, author, Directory Services MVP, Conference Speaker >and all around GoodGuy™ > >Consensus on empty root these days is pretty much against unless you have a >really good reason. > >I have 2 forests built that way in the past here back when that was the >prescriptive guidance but the last one I did was a single domain. > >Many discussions on activdir over the years on the subject, one fairly >recently. If you want to see some prolonged discussions look in the archives >there. > >google ‘empty forest root site:activedir.org’ > >From:Lora Cates [mailto:[email protected]] >Sent: Thursday, April 12, 2012 1:09 PM >To: NT System Admin Issues >Subject: Re: Domain local vs. global vs. universal > >Well I've inherited what I'll kindly refer to as a "mess." I'm still in the >information gathering phase myself as I haven't quite been here 12 days yet, >and only found this list recently. So I'll apologize in advance for my faux >pas. > >Basically I was hired to consolidate a plethora of disparate AD >domains/forests in several geographically dispersed hospital groups into a >single forest. I still haven't met with the networking folks, so I don't know >what shape the WAN is in. My predecessor went so far as to set up the >CompanyX.com parent domain and it's empty save the defaults, there is also a >child domain of US.companyX.com with what appears to be the users from >corporate. I've read several debates regarding an empty root. Is there a >consensus on yea vs. nay? > >Speaking of reading, and apologies for any offense, are you this Brian >Desmond? Active Directory: Designing, Deploying, and Running Active >Directory, Fourth Edition >-lc > >________________________________ > >From:Brian Desmond <[email protected]> >To: NT System Admin Issues <[email protected]> >Sent: Thursday, April 12, 2012 2:16 PM >Subject: RE: Domain local vs. global vs. universal > > > >Well the impact is that all uni group membership changes replicate to every >GC. If you’ve got concerns around WAN utilization, availability, latency, >etc., then this could be worth looking at. In quite a lot of scenarios, the >WAN issues that existed circa Windows 2000 don’t exist anymore which makes >this a less interesting discussion point. Without knowing about your >customer’s environment and scale it’s hard to say. > >I would say that it’s highly unlikely that I would design a new multi-domain >forest except for some pretty isolated and specific design requirements these >days. > >Thanks, >Brian Desmond >[email protected] > >w – 312.625.1438 | c – 312.731.3132 > >From:Lora Cates [mailto:[email protected]] >Sent: Thursday, April 12, 2012 1:05 PM >To: NT System Admin Issues >Subject: Re: Domain local vs. global vs. universal > >I too am looking into this for a coming migration I've been asked to design >for a customer. What's the impact to GC's by making everything Universal >Groups? Especially in a multi domain, multi forest environment? > >-lc > >________________________________ > >From:Brian Desmond <[email protected]> >To: NT System Admin Issues <[email protected]> >Sent: Thursday, April 12, 2012 12:02 PM >Subject: RE: Domain local vs. global vs. universal > >In a single domain forest (or even many multi-domain domain forests today), I >would just do all uni groups. > >Thanks, >Brian Desmond >[email protected] > >w – 312.625.1438 | c – 312.731.3132 > >From:David Lum [mailto:[email protected]] >Sent: Thursday, April 12, 2012 11:28 AM >To: NT System Admin Issues >Subject: Domain local vs. global vs. universal > >Today I found a global group in my AD (created by an SE that wasn’t me), but >for this function I needed to add a domain local group to it and for course, >that’s not possible. Someplace I heard in AD pretty much every group you use >should be domain local unless it’s used for Exchange in which case you use >Universal. All groups I create are domain local and it simply works, but I >know that doesn’t mean it’s right. > >Before sending a note to the SE team on this I wanted to get a consensus from >you guys. Comments? >David Lum >Systems Engineer //NWEATM >Office 503.548.5229//Cell (voice/text) 503.267.9764 > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to [email protected] >with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
