Are they the same people who are Enterprise Admins? IOW, are those your most trusted admins who have access to everything in AD one way or another? Since it is well known that the forest is the security boundary, all DAs of any of the domains need to be fully trusted throughout the forest.
We have a couple of empty root forests and since the 3 of us that are Domain Admins in the child domains containing all the assets are also the uber-AD admins everywhere it doesn't really make much difference to me if I am administering the root with an account in the root or one in the child in MOST cases. There are exceptions but they are rare. Will it break anything if you remove it? I doubt it unless perhaps you have service accounts involved and some odd configuration but it is impossible to say definitively not knowing your environment. . I don't feel that way about trusts and I administer our trusted domains differently but with an empty root, single child with implicit trusts both ways where all admins involved are equal, I don't think it is that big of a deal. Depends on why you set up the empty root in the first place and what perceived separation there is in your organization between the root and the child. My 2 penneth, I'd be curious what Brian thinks since he works with some very large customers. From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, September 24, 2009 5:12 AM To: NT System Admin Issues Subject: RE: Question on Upgrade process Just got one followup question, In a 2 Domain setup ( Empty root) and then a child domain, is there a legitimate reason that the Domain Admins of the child domain is in the root domains administrators group? I don't see the reason it should be and was going to remove it, accordingly, but wanted to check to see if it would break anything first. EZ Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, September 16, 2009 9:06 AM To: NT System Admin Issues Subject: RE: Question on Upgrade process DC's are GC's... So there are plenty of those. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, September 16, 2009 5:25 AM To: NT System Admin Issues Subject: RE: Question on Upgrade process I think that's a decent plan. If you run into issues, DCpromo the problem DC out of the environment, fix SP issues, and re-promote. I assume you have a couple of GCs per domain. Cheers Ken From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, 15 September 2009 10:03 PM To: NT System Admin Issues Subject: RE: Question on Upgrade process Thanks Brian there isn't 100's of DCs in this upgrade only like 8 total, and only 3-4 hold the FSMO roles, (1 in the root) and 2 in the child domain. Basically just use the GUI or NTDSUTIL to transfer the roles, do a netdom query fsmo to check to make sure it moved, and do the SP as usual. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Brian Desmond [mailto:[email protected]] Sent: Tuesday, September 15, 2009 7:42 AM To: NT System Admin Issues Subject: RE: Question on Upgrade process I don't typically do all that stuff as I'm often doing hundreds of DCs. What I will do is move FSMO roles to an alternate before bouncing the role owners. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, September 15, 2009 6:31 AM To: NT System Admin Issues Subject: Question on Upgrade process Just like to quickly bounce this off the list. I have a task to upgrade a set of Domain Controllers from Windows 2003 SP1, to Windows 2003 SP2 accordingly. Do most of you do the DC's without the FSMO roles, first, and then do dcdiag, netdiag, and repadmin then do the servers with the FSMO roles accordingly? Do you usually move your FSMO Roles before you upgrade the machines accordingly? I haven't seen any issues in the 100+ upgrades that have been done already but given these are the DC's just a little leery about replication issues, failure of a role-server etc etc afterwards. Has anyone seen or experienced anything negative in there travels through the SP upgrade route? Z ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
