Do you really need two domains, or could you do with two sites in the same domain? When planning your active directory, there are very few reasons to have a seperate domain. I just went searching for the list that I know exists out there, and found almost exactly what I was going to post, so I'll just link to it: http://tinyurl.com/33kc4 <----Snip----> A good reference for AD design: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/bpaddsgn.asp A few points: Create domains where security settings must be different. A few settings are domain wide, such as password policy, account lockout, and kerberos ticket policy. Replication is mostly within a domain. Sometimes you should create a new domain for replication issues. However, usually creating Sites will solve this. However, more domains means more administration. Downside to more domains: 1. More DC's 2. Multiple Domain Admin groups 3. Trust issues 4. Must repeat group policy and access control 5. A user can only be authenticated by a DC in their home domain I think it is best to minimize the number of domains, and only create more where necessary for security reasons. Many very large organizations with many 1000's of users have just one domain for users. Administration can be delegated to OU's. Group Policy can be applied to OU's (and Sites). 20 domains especially sounds like a lot. The big question is whether to have a dedicated (almost empty) root domain with one or several child domains for users. This is discussed in the link above. There are advantages to the dedicated root domain, but at the cost of a few extra DC's. -- Richard Microsoft MVP Scripting and ADSI HilltopLab web site - http://www.rlmueller.net -- <--Snip--> Hope this helps, Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Matt Fowler Posted At: Monday, March 15, 2004 12:51 PM Posted To: Windows 2000 Conversation: [windows2000] Active Directory & Win2003 Subject: [windows2000] Active Directory & Win2003 Looking to begin our AD environment. We will have 2 domains that are in 2 separate physical network zones. Both will have Internet connections. We want only 1 DNS root name. My inclination is to have an empty root domain that has our published Internet DNS name. Then, the 2 domains would have subsequent domains based off this root DNS name. Does this sound feasible? I understand we cannot have 2 forests with the same root DNS name. Is that accurate? Thanks for any input along these lines. I will answer any questions if you want more information. Matt Fowler LAN Specialist (847)925-6113 mfowler@xxxxxxxxxxxxxxx ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm