Well, in this case, there is a separate forest that should be brought into our existing forest. We simply want to fold them in and set security boundaries using groups etc. They want to become a child domain so they can maintain the DNS name they have. I've told them they're really not related, but want to put an information paper together with pros/cons. Hoping to get MS' point of view too.
-----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Thursday, December 03, 2009 10:32 AM To: NT System Admin Issues Subject: RE: Windows Child Domain Well, really, I'd say the long and the short of it is about security boundaries. I know that the army used to stand-up a gazillion NT domains whereas the Navy had a single domain - purely because of the difference in how they viewed security boundaries. >From a scaling perspective, there is almost never a reason to stand up a separate forest anymore. The only real reason is for separation of security. It is trivial, within a child domain, to compromise the enterprise domain and then have access to all domains in the forest. This is why the forest is the security boundary. From: Jon Harris [mailto:[email protected]] Sent: Thursday, December 03, 2009 10:26 AM To: NT System Admin Issues Subject: Re: Windows Child Domain Not that I can give you a real answer but that would depend on which Server OS you are using and the functional levels. There have been a number of changes between 2003 and 2008 that have changed this answer. Jon On Thu, Dec 3, 2009 at 10:19 AM, Fogarty, Richard R CTR USA USASOC <[email protected]> wrote: Can anyone explain to me when one would / should use a Child domain as opposed to setting up a new domain/forest? Rick ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
