Hi- Child domain won't get you any sort of security boundary.
If you want to just keep the DNS namespace that's easy while having one actual AD domain. The DNS namespace of the clients/servers doesn't have to match that of the domain. To answer the original question, with Windows 2008+, the only technical reason for a child really is to segment replication. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian > -----Original Message----- > From: Fogarty, Richard R CTR USA USASOC [mailto:[email protected]] > Sent: Thursday, December 03, 2009 10:02 AM > To: NT System Admin Issues > Subject: RE: Windows Child Domain > > Well, in this case, there is a separate forest that should be brought into our > existing forest. We simply want to fold them in and set security boundaries > using groups etc. They want to become a child domain so they can maintain > the DNS name they have. I've told them they're really not related, but want > to put an information paper together with pros/cons. Hoping to get MS' > point of view too. > > -----Original Message----- > From: Michael B. Smith [mailto:[email protected]] > Sent: Thursday, December 03, 2009 10:32 AM > To: NT System Admin Issues > Subject: RE: Windows Child Domain > > Well, really, I'd say the long and the short of it is about security > boundaries. > > > > I know that the army used to stand-up a gazillion NT domains whereas the > Navy had a single domain - purely because of the difference in how they > viewed security boundaries. > > > > From a scaling perspective, there is almost never a reason to stand up a > separate forest anymore. The only real reason is for separation of security. > It is trivial, within a child domain, to compromise the enterprise domain and > then have access to all domains in the forest. This is why the forest is the > security boundary. > > > > From: Jon Harris [mailto:[email protected]] > Sent: Thursday, December 03, 2009 10:26 AM > To: NT System Admin Issues > Subject: Re: Windows Child Domain > > > > Not that I can give you a real answer but that would depend on which Server > OS you are using and the functional levels. There have been a number of > changes between 2003 and 2008 that have changed this answer. > > > > Jon > > On Thu, Dec 3, 2009 at 10:19 AM, Fogarty, Richard R CTR USA USASOC > <[email protected]> wrote: > > Can anyone explain to me when one would / should use a Child domain as > opposed to setting up a new domain/forest? > > > > Rick > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
