[windows2000] Re: Active Directory & Win2003
- From: "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Mon, 15 Mar 2004 23:16:21 -0500
Do you really need two domains, or could you do with two sites in the same
domain?
When planning your active directory, there are very few reasons to have a
seperate domain.
I just went searching for the list that I know exists out there, and found
almost exactly what I was going to post, so I'll just link to it:
http://tinyurl.com/33kc4
<----Snip---->
A good reference for AD design:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp
A few points:
Create domains where security settings must be different. A few settings are
domain wide, such as password policy, account lockout, and kerberos ticket
policy.
Replication is mostly within a domain. Sometimes you should create a new
domain for replication issues. However, usually creating Sites will solve
this.
However, more domains means more administration. Downside to more domains:
1. More DC's
2. Multiple Domain Admin groups
3. Trust issues
4. Must repeat group policy and access control
5. A user can only be authenticated by a DC in their home domain
I think it is best to minimize the number of domains, and only create more
where necessary for security reasons. Many very large organizations with
many 1000's of users have just one domain for users. Administration can be
delegated to OU's. Group Policy can be applied to OU's (and Sites). 20
domains especially sounds like a lot.
The big question is whether to have a dedicated (almost empty) root domain
with one or several child domains for users. This is discussed in the link
above. There are advantages to the dedicated root domain, but at the cost of
a few extra DC's.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
<--Snip-->
Hope this helps,
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Matt Fowler
Posted At: Monday, March 15, 2004 12:51 PM
Posted To: Windows 2000
Conversation: [windows2000] Active Directory & Win2003
Subject: [windows2000] Active Directory & Win2003
Looking to begin our AD environment. We will have 2 domains that are in 2
separate physical network zones. Both will have Internet connections. We
want only 1 DNS root name. My inclination is to have an empty root domain
that has our published Internet DNS name. Then, the 2 domains would have
subsequent domains based off this root DNS name. Does this sound feasible?
I understand we cannot have 2 forests with the same root DNS name. Is that
accurate?
Thanks for any input along these lines. I will answer any questions if you
want more information.
Matt Fowler
LAN Specialist
(847)925-6113
mfowler@xxxxxxxxxxxxxxx
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
