| Author | Messages | |
halfloaded
Posts:0
 | | 06/11/2009 4:58 PM |
| I am looking at moving from a convoluted multi-domain environment to a
single domain, single forest model. We only have roughly 20,000
objects (users, computers, etc). We are in the final stages of design
and have stumbled on a question. It is half dozen of one, six of the
other. Do we setup an empty forest root domain or just use the forest
root domain for our setup?
If we go with an empty root, our domain model will look like: Forest
Root = company.com; Populated Domain: ldap.company.com.
If we go with a populated root, we would just go with
ldap.company.com. Any suggestions? We want to get this right but the
arguments for and against the empty root are sort of fluffy. I'm at
the point of just picking one but I wanted to check with the real
experts before assuming the decision doesn't really matter at the end
of the day.
Thanks for the advice!
A
| | | |
| bsonposh
Posts:409
| | 06/11/2009 5:02 PM |
| no empty root... single Domain FTW!
On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
> I am looking at moving from a convoluted multi-domain environment to a
> single domain, single forest model. We only have roughly 20,000
> objects (users, computers, etc). We are in the final stages of design
> and have stumbled on a question. It is half dozen of one, six of the
> other. Do we setup an empty forest root domain or just use the forest
> root domain for our setup?
>
> If we go with an empty root, our domain model will look like: Forest
> Root = company.com; Populated Domain: ldap.company.com.
>
> If we go with a populated root, we would just go with
> ldap.company.com. Any suggestions? We want to get this right but the
> arguments for and against the empty root are sort of fluffy. I'm at
> the point of just picking one but I wanted to check with the real
> experts before assuming the decision doesn't really matter at the end
> of the day.
>
> Thanks for the advice!
>
> A
>
| | | |
| jochaves
Posts:5
| | 06/11/2009 5:08 PM |
| Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
*Table 8 Reasons for Including a Dedicated **Forest* *Root in Your Design*
Reason
Explanation
Fewer administrators can make forest-wide changes
Limiting the forest root domain administrative membership reduces the
likelihood that an administrative error will impact the entire forest.
Easily replicated for forest backup
A small root domain can be easily replicated anywhere on your network to
provide protection against geographically centered catastrophes.
Never becomes obsolete
You can never retire the root domain, even if your organization changes. A
dedicated root domain never becomes obsolete because it functions solely as
the forest root.
Ownership easily transferred
Transferring ownership of the root domain to transfer forest ownership does
not involve migrating production data or resources.
The role of the forest root domain centers on defining and managing the
infrastructure. Managing the directory infrastructure requires new
administrative roles and responsibilities. Plan to reserve the dedicated
root domain for forest administration exclusively. Avoid including any users
or resources not dedicated to forest administration in the forest root
domain.
On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
> no empty root... single Domain FTW!
>
>
> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
>
>> I am looking at moving from a convoluted multi-domain environment to a
>> single domain, single forest model. We only have roughly 20,000
>> objects (users, computers, etc). We are in the final stages of design
>> and have stumbled on a question. It is half dozen of one, six of the
>> other. Do we setup an empty forest root domain or just use the forest
>> root domain for our setup?
>>
>> If we go with an empty root, our domain model will look like: Forest
>> Root = company.com; Populated Domain: ldap.company.com.
>>
>> If we go with a populated root, we would just go with
>> ldap.company.com. Any suggestions? We want to get this right but the
>> arguments for and against the empty root are sort of fluffy. I'm at
>> the point of just picking one but I wanted to check with the real
>> experts before assuming the decision doesn't really matter at the end
>> of the day.
>>
>> Thanks for the advice!
>>
>> A
>>
>
>
--
Jonathan Chaves Avalos
jochaves@gmail.com
La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
libertad de juicio.
-- Fernando Sánchez Dragó. (1936-) Escritor español.
| | | |
| PARRIS
Posts:293
| | 06/11/2009 5:08 PM |
| Single domain - life will be so much easier.
------Original Message------
From: Andrew Healey
Sender: activedir-owner@mail.activedir.org
To: ActiveDir
ReplyTo: ActiveDir
Subject: [ActiveDir] To Empty Root or Not?
Sent: 11 Jun 2009 16:57
I am looking at moving from a convoluted multi-domain environment to a
single domain, single forest model. We only have roughly 20,000
objects (users, computers, etc). We are in the final stages of design
and have stumbled on a question. It is half dozen of one, six of the
other. Do we setup an empty forest root domain or just use the forest
root domain for our setup?
If we go with an empty root, our domain model will look like: Forest
Root = company.com; Populated Domain: ldap.company.com.
If we go with a populated root, we would just go with
ldap.company.com. Any suggestions? We want to get this right but the
arguments for and against the empty root are sort of fluffy. I'm at
the point of just picking one but I wanted to check with the real
experts before assuming the decision doesn't really matter at the end
of the day.
Thanks for the advice!
A
Regards,
Mark Parris
[ADUG] UK Active Directory User Group
http://adug.co.uk | | | |
| halfloaded
Posts:0
| | 06/11/2009 5:12 PM |
| I read that article. However, it is from the Server 2000 Best
Practices. MS Best Practices have changed in the last ~8 years.
On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com> wrote:
>
> Best Practice Active Directory Design for Managing Windows Networks
> http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>
>
>
> Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>
> Reason
>
> Explanation
>
> Fewer administrators can make forest-wide changes
>
> Limiting the forest root domain administrative membership reduces the
> likelihood that an administrative error will impact the entire forest.
>
> Easily replicated for forest backup
>
> A small root domain can be easily replicated anywhere on your network to
> provide protection against geographically centered catastrophes.
>
> Never becomes obsolete
>
> You can never retire the root domain, even if your organization changes. A
> dedicated root domain never becomes obsolete because it functions solely as
> the forest root.
>
> Ownership easily transferred
>
> Transferring ownership of the root domain to transfer forest ownership does
> not involve migrating production data or resources.
>
> The role of the forest root domain centers on defining and managing the
> infrastructure. Managing the directory infrastructure requires new
> administrative roles and responsibilities. Plan to reserve the dedicated
> root domain for forest administration exclusively. Avoid including any users
> or resources not dedicated to forest administration in the forest root
> domain.
>
>
>
>
>
> On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
>>
>> no empty root... single Domain FTW!
>>
>> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> wrote:
>>>
>>> I am looking at moving from a convoluted multi-domain environment to a
>>> single domain, single forest model. We only have roughly 20,000
>>> objects (users, computers, etc). We are in the final stages of design
>>> and have stumbled on a question. It is half dozen of one, six of the
>>> other. Do we setup an empty forest root domain or just use the forest
>>> root domain for our setup?
>>>
>>> If we go with an empty root, our domain model will look like: Forest
>>> Root = company.com; Populated Domain: ldap.company.com.
>>>
>>> If we go with a populated root, we would just go with
>>> ldap.company.com. Any suggestions? We want to get this right but the
>>> arguments for and against the empty root are sort of fluffy. I'm at
>>> the point of just picking one but I wanted to check with the real
>>> experts before assuming the decision doesn't really matter at the end
>>> of the day.
>>>
>>> Thanks for the advice!
>>>
>>> A
>>
>
>
>
> --
> Jonathan Chaves Avalos
> jochaves@gmail.com
> La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> libertad de juicio.
> -- Fernando Sánchez Dragó. (1936-) Escritor español.
>
--
Andrew J Healey
http://halfloaded.com
| | | |
| gossp13
Posts:7
| | 06/11/2009 5:20 PM |
| Try this page out.
http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx
On Thu, Jun 11, 2009 at 12:12 PM, Andrew Healey <drewhealey@gmail.com>wrote:
> I read that article. However, it is from the Server 2000 Best
> Practices. MS Best Practices have changed in the last ~8 years.
>
> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
> wrote:
> >
> > Best Practice Active Directory Design for Managing Windows Networks
> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
> >
> >
> >
> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
> >
> > Reason
> >
> > Explanation
> >
> > Fewer administrators can make forest-wide changes
> >
> > Limiting the forest root domain administrative membership reduces the
> > likelihood that an administrative error will impact the entire forest.
> >
> > Easily replicated for forest backup
> >
> > A small root domain can be easily replicated anywhere on your network to
> > provide protection against geographically centered catastrophes.
> >
> > Never becomes obsolete
> >
> > You can never retire the root domain, even if your organization changes.
> A
> > dedicated root domain never becomes obsolete because it functions solely
> as
> > the forest root.
> >
> > Ownership easily transferred
> >
> > Transferring ownership of the root domain to transfer forest ownership
> does
> > not involve migrating production data or resources.
> >
> > The role of the forest root domain centers on defining and managing the
> > infrastructure. Managing the directory infrastructure requires new
> > administrative roles and responsibilities. Plan to reserve the dedicated
> > root domain for forest administration exclusively. Avoid including any
> users
> > or resources not dedicated to forest administration in the forest root
> > domain.
> >
> >
> >
> >
> >
> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
> wrote:
> >>
> >> no empty root... single Domain FTW!
> >>
> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
> >> wrote:
> >>>
> >>> I am looking at moving from a convoluted multi-domain environment to a
> >>> single domain, single forest model. We only have roughly 20,000
> >>> objects (users, computers, etc). We are in the final stages of design
> >>> and have stumbled on a question. It is half dozen of one, six of the
> >>> other. Do we setup an empty forest root domain or just use the forest
> >>> root domain for our setup?
> >>>
> >>> If we go with an empty root, our domain model will look like: Forest
> >>> Root = company.com; Populated Domain: ldap.company.com.
> >>>
> >>> If we go with a populated root, we would just go with
> >>> ldap.company.com. Any suggestions? We want to get this right but the
> >>> arguments for and against the empty root are sort of fluffy. I'm at
> >>> the point of just picking one but I wanted to check with the real
> >>> experts before assuming the decision doesn't really matter at the end
> >>> of the day.
> >>>
> >>> Thanks for the advice!
> >>>
> >>> A
> >>
> >
> >
> >
> > --
> > Jonathan Chaves Avalos
> > jochaves@gmail.com
> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> > libertad de juicio.
> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
> >
>
>
>
> --
> Andrew J Healey
> http://halfloaded.com
>
| | | |
| PARRIS
Posts:293
| | 06/11/2009 5:26 PM |
| In the days of Windows 2000 this was the advice Microsoft used to give, as the product has evolved the advice is more start at a single domain and justify the reason for having any more.
Regards,
Mark Parris
[ADUG] UK Active Directory User Group
http://adug.co.uk
-----Original Message-----
From: Jonathan Chaves <jochaves@gmail.com>
Date: Thu, 11 Jun 2009 10:06:24
To: <activedir@mail.activedir.org>
Subject: Re: [ActiveDir] To Empty Root or Not?
Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
*Table 8 Reasons for Including a Dedicated **Forest* *Root in Your Design*
Reason
Explanation
Fewer administrators can make forest-wide changes
Limiting the forest root domain administrative membership reduces the
likelihood that an administrative error will impact the entire forest.
Easily replicated for forest backup
A small root domain can be easily replicated anywhere on your network to
provide protection against geographically centered catastrophes.
Never becomes obsolete
You can never retire the root domain, even if your organization changes. A
dedicated root domain never becomes obsolete because it functions solely as
the forest root.
Ownership easily transferred
Transferring ownership of the root domain to transfer forest ownership does
not involve migrating production data or resources.
The role of the forest root domain centers on defining and managing the
infrastructure. Managing the directory infrastructure requires new
administrative roles and responsibilities. Plan to reserve the dedicated
root domain for forest administration exclusively. Avoid including any users
or resources not dedicated to forest administration in the forest root
domain.
On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
> no empty root... single Domain FTW!
>
>
> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
>
>> I am looking at moving from a convoluted multi-domain environment to a
>> single domain, single forest model. We only have roughly 20,000
>> objects (users, computers, etc). We are in the final stages of design
>> and have stumbled on a question. It is half dozen of one, six of the
>> other. Do we setup an empty forest root domain or just use the forest
>> root domain for our setup?
>>
>> If we go with an empty root, our domain model will look like: Forest
>> Root = company.com; Populated Domain: ldap.company.com.
>>
>> If we go with a populated root, we would just go with
>> ldap.company.com. Any suggestions? We want to get this right but the
>> arguments for and against the empty root are sort of fluffy. I'm at
>> the point of just picking one but I wanted to check with the real
>> experts before assuming the decision doesn't really matter at the end
>> of the day.
>>
>> Thanks for the advice!
>>
>> A
>>
>
>
--
Jonathan Chaves Avalos
jochaves@gmail.com
La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
libertad de juicio.
-- Fernando Sánchez Dragó. (1936-) Escritor español.
| | | |
| CKaiser
Posts:41
| | 06/11/2009 5:28 PM |
| My take? It's based on your org's plans for the future. Doing any M&A?
Grafting on related but separate domains is easier with an empty root. But
the tools nowadays allow for pretty granular forest trusts and cross-forest
auth, although they can still be a pain to manage. If you think you are
going to need additional domains (as in separate businesses) over the next 5
years, an empty root might make sense. But otherwise? Single forest, single
domain.
Politics can frequently drive this decision far beyond the technical
aspects, though. Make sure your C-level stakeholders buy into the decision,
and make sure they understand that there will NOT be as many domain admins
as before. Get buyoff on that. Depending on your org, there can be a lot of
blowback from the DAs in the other domains over this. Having high-level
management support makes all the difference in the world.
I'd say better than 95% of the time I design SFSD models rather than empty
roots. I've found that the politics of elevated rights is by far the most
contentious part of the whole process...
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Thursday, June 11, 2009 8:57 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] To Empty Root or Not?
>
> I am looking at moving from a convoluted multi-domain
> environment to a single domain, single forest model. We only
> have roughly 20,000 objects (users, computers, etc). We are
> in the final stages of design and have stumbled on a
> question. It is half dozen of one, six of the other. Do we
> setup an empty forest root domain or just use the forest root
> domain for our setup?
>
> If we go with an empty root, our domain model will look like:
> Forest Root = company.com; Populated Domain: ldap.company.com.
>
> If we go with a populated root, we would just go with
> ldap.company.com. Any suggestions? We want to get this
> right but the arguments for and against the empty root are
> sort of fluffy. I'm at the point of just picking one but I
> wanted to check with the real experts before assuming the
> decision doesn't really matter at the end of the day.
>
> Thanks for the advice!
>
> A
| | | |
| bsonposh
Posts:409
| | 06/11/2009 5:28 PM |
| To be clear.... it was never really a good idea 
On Thu, Jun 11, 2009 at 12:25 PM, Mark Parris (L) <lists@baseit.co.uk>wrote:
> In the days of Windows 2000 this was the advice Microsoft used to give, as
> the product has evolved the advice is more start at a single domain and
> justify the reason for having any more.
>
> Regards,
>
> Mark Parris
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
>
> ------------------------------
> *From*: Jonathan Chaves
> *Date*: Thu, 11 Jun 2009 10:06:24 -0600
> *To*: <activedir@mail.activedir.org>
> *Subject*: Re: [ActiveDir] To Empty Root or Not?
>
>
> Best Practice Active Directory Design for Managing Windows Networks
> http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>
>
>
> *Table 8 Reasons for Including a Dedicated **Forest* *Root in Your Design*
>
> Reason
>
> Explanation
>
> Fewer administrators can make forest-wide changes
>
> Limiting the forest root domain administrative membership reduces the
> likelihood that an administrative error will impact the entire forest.
>
> Easily replicated for forest backup
>
> A small root domain can be easily replicated anywhere on your network to
> provide protection against geographically centered catastrophes.
>
> Never becomes obsolete
>
> You can never retire the root domain, even if your organization changes. A
> dedicated root domain never becomes obsolete because it functions solely as
> the forest root.
>
> Ownership easily transferred
>
> Transferring ownership of the root domain to transfer forest ownership does
> not involve migrating production data or resources.
>
> The role of the forest root domain centers on defining and managing the
> infrastructure. Managing the directory infrastructure requires new
> administrative roles and responsibilities. Plan to reserve the dedicated
> root domain for forest administration exclusively. Avoid including any users
> or resources not dedicated to forest administration in the forest root
> domain.
>
>
>
>
>
> On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
>
>> no empty root... single Domain FTW!
>>
>>
>> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
>>
>>> I am looking at moving from a convoluted multi-domain environment to a
>>> single domain, single forest model. We only have roughly 20,000
>>> objects (users, computers, etc). We are in the final stages of design
>>> and have stumbled on a question. It is half dozen of one, six of the
>>> other. Do we setup an empty forest root domain or just use the forest
>>> root domain for our setup?
>>>
>>> If we go with an empty root, our domain model will look like: Forest
>>> Root = company.com; Populated Domain: ldap.company.com.
>>>
>>> If we go with a populated root, we would just go with
>>> ldap.company.com. Any suggestions? We want to get this right but the
>>> arguments for and against the empty root are sort of fluffy. I'm at
>>> the point of just picking one but I wanted to check with the real
>>> experts before assuming the decision doesn't really matter at the end
>>> of the day.
>>>
>>> Thanks for the advice!
>>>
>>> A
>>>
>>
>>
>
>
> --
> Jonathan Chaves Avalos
> jochaves@gmail.com
> La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> libertad de juicio.
> -- Fernando Sánchez Dragó. (1936-) Escritor español.
>
| | | |
| halfloaded
Posts:0
| | 06/11/2009 5:32 PM |
| The 2008 documentation doesn't discuss empty roots. I'm assuming it
is not a best practice. However, it is still a design consideration.
I am really leaning to just populating the forest root and being done
with it. Are there any arguments against it? I can't really find
many which makes me think this thinking is old school.
On 6/11/09, Pat Goss <gossp13@gmail.com> wrote:
> Try this page out.
>
> http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx
>
> On Thu, Jun 11, 2009 at 12:12 PM, Andrew Healey <drewhealey@gmail.com>wrote:
>
>> I read that article. However, it is from the Server 2000 Best
>> Practices. MS Best Practices have changed in the last ~8 years.
>>
>> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
>> wrote:
>> >
>> > Best Practice Active Directory Design for Managing Windows Networks
>> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>> >
>> >
>> >
>> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>> >
>> > Reason
>> >
>> > Explanation
>> >
>> > Fewer administrators can make forest-wide changes
>> >
>> > Limiting the forest root domain administrative membership reduces the
>> > likelihood that an administrative error will impact the entire forest.
>> >
>> > Easily replicated for forest backup
>> >
>> > A small root domain can be easily replicated anywhere on your network to
>> > provide protection against geographically centered catastrophes.
>> >
>> > Never becomes obsolete
>> >
>> > You can never retire the root domain, even if your organization changes.
>> A
>> > dedicated root domain never becomes obsolete because it functions solely
>> as
>> > the forest root.
>> >
>> > Ownership easily transferred
>> >
>> > Transferring ownership of the root domain to transfer forest ownership
>> does
>> > not involve migrating production data or resources.
>> >
>> > The role of the forest root domain centers on defining and managing the
>> > infrastructure. Managing the directory infrastructure requires new
>> > administrative roles and responsibilities. Plan to reserve the dedicated
>> > root domain for forest administration exclusively. Avoid including any
>> users
>> > or resources not dedicated to forest administration in the forest root
>> > domain.
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
>> wrote:
>> >>
>> >> no empty root... single Domain FTW!
>> >>
>> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> >> wrote:
>> >>>
>> >>> I am looking at moving from a convoluted multi-domain environment to a
>> >>> single domain, single forest model. We only have roughly 20,000
>> >>> objects (users, computers, etc). We are in the final stages of design
>> >>> and have stumbled on a question. It is half dozen of one, six of the
>> >>> other. Do we setup an empty forest root domain or just use the forest
>> >>> root domain for our setup?
>> >>>
>> >>> If we go with an empty root, our domain model will look like: Forest
>> >>> Root = company.com; Populated Domain: ldap.company.com.
>> >>>
>> >>> If we go with a populated root, we would just go with
>> >>> ldap.company.com. Any suggestions? We want to get this right but the
>> >>> arguments for and against the empty root are sort of fluffy. I'm at
>> >>> the point of just picking one but I wanted to check with the real
>> >>> experts before assuming the decision doesn't really matter at the end
>> >>> of the day.
>> >>>
>> >>> Thanks for the advice!
>> >>>
>> >>> A
>> >>
>> >
>> >
>> >
>> > --
>> > Jonathan Chaves Avalos
>> > jochaves@gmail.com
>> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a
>> > la
>> > libertad de juicio.
>> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
>> >
>>
>>
>>
>> --
>> Andrew J Healey
>> http://halfloaded.com
>>
>
--
Andrew J Healey
http://halfloaded.com
| | | |
| neil.ruston@credit-suisse.com
Posts:0
| | 06/11/2009 5:34 PM |
| Consider the future - if your company merges or buys another company and you want to 'graft' their AD onto yours, you may need to construct another domain in the forest. The first domain will 'own' the forest wide groups (EA and SA) and this may not be acceptable, politically, to the new company.
Furthermore, if you ever want to rename a domain, you'll be snookered with a single domain forest, since the first/root domain can never be renamed.
I'm a big fan of 'the fewer domains the better' but often the political factors outweigh the technical factors when designing a forest structure.
Put together pros and cons of both models and force someone in authority to pick one and sign off [in blood]!
neil
________________________________
From: activedir-owner@mail.activedir.org on behalf of Jonathan Chaves
Sent: Thu 11/06/2009 17:06
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] To Empty Root or Not?
Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
Table 8 Reasons for Including a Dedicated Forest Root in Your Design
Reason
Explanation
Fewer administrators can make forest-wide changes
Limiting the forest root domain administrative membership reduces the likelihood that an administrative error will impact the entire forest.
Easily replicated for forest backup
A small root domain can be easily replicated anywhere on your network to provide protection against geographically centered catastrophes.
Never becomes obsolete
You can never retire the root domain, even if your organization changes. A dedicated root domain never becomes obsolete because it functions solely as the forest root.
Ownership easily transferred
Transferring ownership of the root domain to transfer forest ownership does not involve migrating production data or resources.
The role of the forest root domain centers on defining and managing the infrastructure. Managing the directory infrastructure requires new administrative roles and responsibilities. Plan to reserve the dedicated root domain for forest administration exclusively. Avoid including any users or resources not dedicated to forest administration in the forest root domain.
On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
no empty root... single Domain FTW!
On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com> wrote:
I am looking at moving from a convoluted multi-domain environment to a
single domain, single forest model. We only have roughly 20,000
objects (users, computers, etc). We are in the final stages of design
and have stumbled on a question. It is half dozen of one, six of the
other. Do we setup an empty forest root domain or just use the forest
root domain for our setup?
If we go with an empty root, our domain model will look like: Forest
Root = company.com <http://company.com/> ; Populated Domain: ldap.company.com <http://ldap.company.com/> .
If we go with a populated root, we would just go with
ldap.company.com <http://ldap.company.com/> . Any suggestions? We want to get this right but the
arguments for and against the empty root are sort of fluffy. I'm at
the point of just picking one but I wanted to check with the real
experts before assuming the decision doesn't really matter at the end
of the day.
Thanks for the advice!
A
--
Jonathan Chaves Avalos
jochaves@gmail.com
La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
libertad de juicio.
-- Fernando Sánchez Dragó. (1936-) Escritor español.
===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================
| | | |
| PARRIS
Posts:293
| | 06/11/2009 5:38 PM |
| In those early days lots of advice was given which has matured over the years into "Current Best Practice" - I still remember collapsing our global Windows 2000 forest and implementing 18 separate global forests as a result.
It was like watching my life story at TechED as the scenario was presented.
Regards,
Mark Parris
[ADUG] UK Active Directory User Group
http://adug.co.uk
-----Original Message-----
From: Brandon Shell <tshell@gmail.com>
Date: Thu, 11 Jun 2009 12:28:33
To: <activedir@mail.activedir.org>
Subject: Re: [ActiveDir] To Empty Root or Not?
To be clear.... it was never really a good idea
On Thu, Jun 11, 2009 at 12:25 PM, Mark Parris (L) <lists@baseit.co.uk>wrote:
> In the days of Windows 2000 this was the advice Microsoft used to give, as
> the product has evolved the advice is more start at a single domain and
> justify the reason for having any more.
>
> Regards,
>
> Mark Parris
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
>
> ------------------------------
> *From*: Jonathan Chaves
> *Date*: Thu, 11 Jun 2009 10:06:24 -0600
> *To*: <activedir@mail.activedir.org>
> *Subject*: Re: [ActiveDir] To Empty Root or Not?
>
>
> Best Practice Active Directory Design for Managing Windows Networks
> http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>
>
>
> *Table 8 Reasons for Including a Dedicated **Forest* *Root in Your Design*
>
> Reason
>
> Explanation
>
> Fewer administrators can make forest-wide changes
>
> Limiting the forest root domain administrative membership reduces the
> likelihood that an administrative error will impact the entire forest.
>
> Easily replicated for forest backup
>
> A small root domain can be easily replicated anywhere on your network to
> provide protection against geographically centered catastrophes.
>
> Never becomes obsolete
>
> You can never retire the root domain, even if your organization changes. A
> dedicated root domain never becomes obsolete because it functions solely as
> the forest root.
>
> Ownership easily transferred
>
> Transferring ownership of the root domain to transfer forest ownership does
> not involve migrating production data or resources.
>
> The role of the forest root domain centers on defining and managing the
> infrastructure. Managing the directory infrastructure requires new
> administrative roles and responsibilities. Plan to reserve the dedicated
> root domain for forest administration exclusively. Avoid including any users
> or resources not dedicated to forest administration in the forest root
> domain.
>
>
>
>
>
> On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
>
>> no empty root... single Domain FTW!
>>
>>
>> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
>>
>>> I am looking at moving from a convoluted multi-domain environment to a
>>> single domain, single forest model. We only have roughly 20,000
>>> objects (users, computers, etc). We are in the final stages of design
>>> and have stumbled on a question. It is half dozen of one, six of the
>>> other. Do we setup an empty forest root domain or just use the forest
>>> root domain for our setup?
>>>
>>> If we go with an empty root, our domain model will look like: Forest
>>> Root = company.com; Populated Domain: ldap.company.com.
>>>
>>> If we go with a populated root, we would just go with
>>> ldap.company.com. Any suggestions? We want to get this right but the
>>> arguments for and against the empty root are sort of fluffy. I'm at
>>> the point of just picking one but I wanted to check with the real
>>> experts before assuming the decision doesn't really matter at the end
>>> of the day.
>>>
>>> Thanks for the advice!
>>>
>>> A
>>>
>>
>>
>
>
> --
> Jonathan Chaves Avalos
> jochaves@gmail.com
> La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> libertad de juicio.
> -- Fernando Sánchez Dragó. (1936-) Escritor español.
>
| | | |
| PARRIS
Posts:293
| | 06/11/2009 5:47 PM |
| I recommend searching this lists archive it has come up many times before - I even remember asking this same question a few years ago.
Regards,
Mark Parris
[ADUG] UK Active Directory User Group
http://adug.co.uk
-----Original Message-----
From: Andrew Healey <drewhealey@gmail.com>
Date: Thu, 11 Jun 2009 09:12:20
To: <activedir@mail.activedir.org>
Subject: Re: [ActiveDir] To Empty Root or Not?
I read that article. However, it is from the Server 2000 Best
Practices. MS Best Practices have changed in the last ~8 years.
On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com> wrote:
>
> Best Practice Active Directory Design for Managing Windows Networks
> http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>
>
>
> Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>
> Reason
>
> Explanation
>
> Fewer administrators can make forest-wide changes
>
> Limiting the forest root domain administrative membership reduces the
> likelihood that an administrative error will impact the entire forest.
>
> Easily replicated for forest backup
>
> A small root domain can be easily replicated anywhere on your network to
> provide protection against geographically centered catastrophes.
>
> Never becomes obsolete
>
> You can never retire the root domain, even if your organization changes. A
> dedicated root domain never becomes obsolete because it functions solely as
> the forest root.
>
> Ownership easily transferred
>
> Transferring ownership of the root domain to transfer forest ownership does
> not involve migrating production data or resources.
>
> The role of the forest root domain centers on defining and managing the
> infrastructure. Managing the directory infrastructure requires new
> administrative roles and responsibilities. Plan to reserve the dedicated
> root domain for forest administration exclusively. Avoid including any users
> or resources not dedicated to forest administration in the forest root
> domain.
>
>
>
>
>
> On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
>>
>> no empty root... single Domain FTW!
>>
>> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> wrote:
>>>
>>> I am looking at moving from a convoluted multi-domain environment to a
>>> single domain, single forest model. We only have roughly 20,000
>>> objects (users, computers, etc). We are in the final stages of design
>>> and have stumbled on a question. It is half dozen of one, six of the
>>> other. Do we setup an empty forest root domain or just use the forest
>>> root domain for our setup?
>>>
>>> If we go with an empty root, our domain model will look like: Forest
>>> Root = company.com; Populated Domain: ldap.company.com.
>>>
>>> If we go with a populated root, we would just go with
>>> ldap.company.com. Any suggestions? We want to get this right but the
>>> arguments for and against the empty root are sort of fluffy. I'm at
>>> the point of just picking one but I wanted to check with the real
>>> experts before assuming the decision doesn't really matter at the end
>>> of the day.
>>>
>>> Thanks for the advice!
>>>
>>> A
>>
>
>
>
> --
> Jonathan Chaves Avalos
> jochaves@gmail.com
> La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> libertad de juicio.
> -- Fernando Sánchez Dragó. (1936-) Escritor español.
>
--
Andrew J Healey
http://halfloaded.com
| | | |
| halfloaded
Posts:0
| | 06/11/2009 5:49 PM |
| We just got off the phone w/ MS and they echoed the sentiments here.
It really came down to a couple reasons.
Reasons for empty root if bandwidth and database size are none issues:
office politics and lazy admins. Most other scenarios can be worked
into the SFSD model.
Thanks for all the advice.
On 6/11/09, Mark Parris (L) <lists@baseit.co.uk> wrote:
> In those early days lots of advice was given which has matured over the
> years into "Current Best Practice" - I still remember collapsing our global
> Windows 2000 forest and implementing 18 separate global forests as a
> result.
>
> It was like watching my life story at TechED as the scenario was presented.
>
>
>
>
>
> Regards,
>
> Mark Parris
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
>
> -----Original Message-----
> From: Brandon Shell <tshell@gmail.com>
>
> Date: Thu, 11 Jun 2009 12:28:33
> To: <activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] To Empty Root or Not?
>
>
> To be clear.... it was never really a good idea
>
> On Thu, Jun 11, 2009 at 12:25 PM, Mark Parris (L)
> <lists@baseit.co.uk>wrote:
>
>> In the days of Windows 2000 this was the advice Microsoft used to give,
>> as
>> the product has evolved the advice is more start at a single domain and
>> justify the reason for having any more.
>>
>> Regards,
>>
>> Mark Parris
>>
>> [ADUG] UK Active Directory User Group
>> http://adug.co.uk
>>
>> ------------------------------
>> *From*: Jonathan Chaves
>> *Date*: Thu, 11 Jun 2009 10:06:24 -0600
>> *To*: <activedir@mail.activedir.org>
>> *Subject*: Re: [ActiveDir] To Empty Root or Not?
>>
>>
>> Best Practice Active Directory Design for Managing Windows Networks
>> http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>>
>>
>>
>> *Table 8 Reasons for Including a Dedicated **Forest* *Root in Your
>> Design*
>>
>> Reason
>>
>> Explanation
>>
>> Fewer administrators can make forest-wide changes
>>
>> Limiting the forest root domain administrative membership reduces the
>> likelihood that an administrative error will impact the entire forest.
>>
>> Easily replicated for forest backup
>>
>> A small root domain can be easily replicated anywhere on your network to
>> provide protection against geographically centered catastrophes.
>>
>> Never becomes obsolete
>>
>> You can never retire the root domain, even if your organization changes.
>> A
>> dedicated root domain never becomes obsolete because it functions solely
>> as
>> the forest root.
>>
>> Ownership easily transferred
>>
>> Transferring ownership of the root domain to transfer forest ownership
>> does
>> not involve migrating production data or resources.
>>
>> The role of the forest root domain centers on defining and managing the
>> infrastructure. Managing the directory infrastructure requires new
>> administrative roles and responsibilities. Plan to reserve the dedicated
>> root domain for forest administration exclusively. Avoid including any
>> users
>> or resources not dedicated to forest administration in the forest root
>> domain.
>>
>>
>>
>>
>>
>> On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
>>
>>> no empty root... single Domain FTW!
>>>
>>>
>>> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey
>>> <drewhealey@gmail.com>wrote:
>>>
>>>> I am looking at moving from a convoluted multi-domain environment to a
>>>> single domain, single forest model. We only have roughly 20,000
>>>> objects (users, computers, etc). We are in the final stages of design
>>>> and have stumbled on a question. It is half dozen of one, six of the
>>>> other. Do we setup an empty forest root domain or just use the forest
>>>> root domain for our setup?
>>>>
>>>> If we go with an empty root, our domain model will look like: Forest
>>>> Root = company.com; Populated Domain: ldap.company.com.
>>>>
>>>> If we go with a populated root, we would just go with
>>>> ldap.company.com. Any suggestions? We want to get this right but the
>>>> arguments for and against the empty root are sort of fluffy. I'm at
>>>> the point of just picking one but I wanted to check with the real
>>>> experts before assuming the decision doesn't really matter at the end
>>>> of the day.
>>>>
>>>> Thanks for the advice!
>>>>
>>>> A
>>>>
>>>
>>>
>>
>>
>> --
>> Jonathan Chaves Avalos
>> jochaves@gmail.com
>> La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
>> libertad de juicio.
>> -- Fernando Sánchez Dragó. (1936-) Escritor español.
>>
>
>
--
Andrew J Healey
http://halfloaded.com
| | | |
| davewade
Posts:119
| | 06/11/2009 5:59 PM |
| I don't like the empty root domain. It uses extra servers, some of which must be real. I think you probably need at least three to be secure. It complicates the administration model. If you have the bandwidth, go single domain and make sure you choose a business neutral domain name, as you can't rename it.
As for the "prune and graft" well that doesn't wash with me. I did some tests some time ago and it was far easier to migrate users in and out of the single domain than it was to deal with subsidiary domains. You can't detach a domain from a forest and graft it into a new forest, you have to create a new domain and migrate the users.
The separate domains also assume you can predict which users are going to move and make sure the domain structure matches the way the business is going to be re-organized in the future. IMHO things don't work like this in business. Many businesses are continually evolving and changing. When businesses split and evolve there is often a fundamental re-organization at the same time. Management "cherry pick" the bits they think will fits with the way strategy is developing, sell what they can get good money for and close the rest.
If you have multiple domains and they don't fit the way management has cherry picked you will have to re-hash the domain structure at the same time as you reorganize. You may have to create extra domains. Moving folks between domains requires tools which are non-intuitive. Much easier to have a single domain and drag and drop people between OU's than to have to migrate them between domains in the same organization....
So to sum up I think that a single domain has significant advantages in both static and dynamic organizations. You need fewer DC's (I know not all that many in big org, but in ours it would double the number of DC's), and its gives complete flexibility in the way you restructure. Just drag and drop the users, no SID History, no worry about Domain Local/Global/Universal Groups etc etc.
Dave Wade
From: Andrew Healey
Sent: Thu 11/06/2009 17:30
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] To Empty Root or Not?
The 2008 documentation doesn't discuss empty roots. I'm assuming it
is not a best practice. However, it is still a design consideration.
I am really leaning to just populating the forest root and being done
with it. Are there any arguments against it? I can't really find
many which makes me think this thinking is old school.
On 6/11/09, Pat Goss <gossp13@gmail.com> wrote:
> Try this page out.
>
> http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx
>
> On Thu, Jun 11, 2009 at 12:12 PM, Andrew Healey <drewhealey@gmail.com>wrote:
>
>> I read that article. However, it is from the Server 2000 Best
>> Practices. MS Best Practices have changed in the last ~8 years.
>>
>> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
>> wrote:
>> >
>> > Best Practice Active Directory Design for Managing Windows Networks
>> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>> >
>> >
>> >
>> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>> >
>> > Reason
>> >
>> > Explanation
>> >
>> > Fewer administrators can make forest-wide changes
>> >
>> > Limiting the forest root domain administrative membership reduces the
>> > likelihood that an administrative error will impact the entire forest.
>> >
>> > Easily replicated for forest backup
>> >
>> > A small root domain can be easily replicated anywhere on your network to
>> > provide protection against geographically centered catastrophes.
>> >
>> > Never becomes obsolete
>> >
>> > You can never retire the root domain, even if your organization changes.
>> A
>> > dedicated root domain never becomes obsolete because it functions solely
>> as
>> > the forest root.
>> >
>> > Ownership easily transferred
>> >
>> > Transferring ownership of the root domain to transfer forest ownership
>> does
>> > not involve migrating production data or resources.
>> >
>> > The role of the forest root domain centers on defining and managing the
>> > infrastructure. Managing the directory infrastructure requires new
>> > administrative roles and responsibilities. Plan to reserve the dedicated
>> > root domain for forest administration exclusively. Avoid including any
>> users
>> > or resources not dedicated to forest administration in the forest root
>> > domain.
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
>> wrote:
>> >>
>> >> no empty root... single Domain FTW!
>> >>
>> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> >> wrote:
>> >>>
>> >>> I am looking at moving from a convoluted multi-domain environment to a
>> >>> single domain, single forest model. We only have roughly 20,000
>> >>> objects (users, computers, etc). We are in the final stages of design
>> >>> and have stumbled on a question. It is half dozen of one, six of the
>> >>> other. Do we setup an empty forest root domain or just use the forest
>> >>> root domain for our setup?
>> >>>
>> >>> If we go with an empty root, our domain model will look like: Forest
>> >>> Root = company.com; Populated Domain: ldap.company.com.
>> >>>
>> >>> If we go with a populated root, we would just go with
>> >>> ldap.company.com. Any suggestions? We want to get this right but the
>> >>> arguments for and against the empty root are sort of fluffy. I'm at
>> >>> the point of just picking one but I wanted to check with the real
>> >>> experts before assuming the decision doesn't really matter at the end
>> >>> of the day.
>> >>>
>> >>> Thanks for the advice!
>> >>>
>> >>> A
>> >>
>> >
>> >
>> >
>> > --
>> > Jonathan Chaves Avalos
>> > jochaves@gmail.com
>> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a
>> > la
>> > libertad de juicio.
>> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
>> >
>>
>>
>>
>> --
>> Andrew J Healey
>> http://halfloaded.com
>>
>
--
Andrew J Healey
http://halfloaded.com
**********************************************************************
Stockport Council is officially one of the best in the country.
Awarded four stars and improving strongly by the Audit Commission March 2009.
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| gabriel/tfi
Posts:427
| | 06/11/2009 8:56 PM |
| Why "the first/root domain can never be renamed"? We renamed it some years
ago. - Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: giovedì 11 giugno 2009 18.31
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] To Empty Root or Not?
Consider the future - if your company merges or buys another company and you
want to 'graft' their AD onto yours, you may need to construct another
domain in the forest. The first domain will 'own' the forest wide groups (EA
and SA) and this may not be acceptable, politically, to the new company.
Furthermore, if you ever want to rename a domain, you'll be snookered with a
single domain forest, since the first/root domain can never be renamed.
I'm a big fan of 'the fewer domains the better' but often the political
factors outweigh the technical factors when designing a forest structure.
Put together pros and cons of both models and force someone in authority to
pick one and sign off [in blood]!
neil
_____
From: activedir-owner@mail.activedir.org on behalf of Jonathan Chaves
Sent: Thu 11/06/2009 17:06
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] To Empty Root or Not?
Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
Table 8 Reasons for Including a Dedicated Forest Root in Your Design
Reason
Explanation
Fewer administrators can make forest-wide changes
Limiting the forest root domain administrative membership reduces the
likelihood that an administrative error will impact the entire forest.
Easily replicated for forest backup
A small root domain can be easily replicated anywhere on your network to
provide protection against geographically centered catastrophes.
Never becomes obsolete
You can never retire the root domain, even if your organization changes. A
dedicated root domain never becomes obsolete because it functions solely as
the forest root.
Ownership easily transferred
Transferring ownership of the root domain to transfer forest ownership does
not involve migrating production data or resources.
The role of the forest root domain centers on defining and managing the
infrastructure. Managing the directory infrastructure requires new
administrative roles and responsibilities. Plan to reserve the dedicated
root domain for forest administration exclusively. Avoid including any users
or resources not dedicated to forest administration in the forest root
domain.
On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com> wrote:
no empty root... single Domain FTW!
On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
wrote:
I am looking at moving from a convoluted multi-domain environment to a
single domain, single forest model. We only have roughly 20,000
objects (users, computers, etc). We are in the final stages of design
and have stumbled on a question. It is half dozen of one, six of the
other. Do we setup an empty forest root domain or just use the forest
root domain for our setup?
If we go with an empty root, our domain model will look like: Forest
Root = company.com <http://company.com/> ; Populated Domain:
ldap.company.com <http://ldap.company.com/> .
If we go with a populated root, we would just go with
ldap.company.com <http://ldap.company.com/> . Any suggestions? We want to
get this right but the
arguments for and against the empty root are sort of fluffy. I'm at
the point of just picking one but I wanted to check with the real
experts before assuming the decision doesn't really matter at the end
of the day.
Thanks for the advice!
A
--
Jonathan Chaves Avalos
jochaves@gmail.com
La mejor cres la que no responde a la voluntad de ofensa, sino a la
libertad de juicio.
-- Fernando SDrag(1936-) Escritor espa
============================================================================
==
Please access the attached hyperlink for an important electronic
communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
============================================================================
==
| | | |
| scharique
Posts:0
| | 06/11/2009 9:02 PM |
| Good call Gabriele. I too remember that being possible. I am interested in
knowing why some think its not.
On Thu, Jun 11, 2009 at 2:56 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> See also Tony's article:
>
> http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId
> /68/Default.aspx<http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId%0A/68/Default.aspx>
>
> Gabriele.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris (L)
> Sent: giovedì 11 giugno 2009 18.45
> To: ActiveDir
> Subject: Re: [ActiveDir] To Empty Root or Not?
>
> I recommend searching this lists archive it has come up many times before -
> I even remember asking this same question a few years ago.
>
>
> Regards,
>
> Mark Parris
>
> [ADUG] UK Active Directory User Group
> http://adug.co.uk
>
> -----Original Message-----
> From: Andrew Healey <drewhealey@gmail.com>
>
> Date: Thu, 11 Jun 2009 09:12:20
> To: <activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] To Empty Root or Not?
>
>
> I read that article. However, it is from the Server 2000 Best
> Practices. MS Best Practices have changed in the last ~8 years.
>
> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
> wrote:
> >
> > Best Practice Active Directory Design for Managing Windows Networks
> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
> >
> >
> >
> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
> >
> > Reason
> >
> > Explanation
> >
> > Fewer administrators can make forest-wide changes
> >
> > Limiting the forest root domain administrative membership reduces the
> > likelihood that an administrative error will impact the entire forest.
> >
> > Easily replicated for forest backup
> >
> > A small root domain can be easily replicated anywhere on your network to
> > provide protection against geographically centered catastrophes.
> >
> > Never becomes obsolete
> >
> > You can never retire the root domain, even if your organization changes.
> A
> > dedicated root domain never becomes obsolete because it functions solely
> as
> > the forest root.
> >
> > Ownership easily transferred
> >
> > Transferring ownership of the root domain to transfer forest ownership
> does
> > not involve migrating production data or resources.
> >
> > The role of the forest root domain centers on defining and managing the
> > infrastructure. Managing the directory infrastructure requires new
> > administrative roles and responsibilities. Plan to reserve the dedicated
> > root domain for forest administration exclusively. Avoid including any
> users
> > or resources not dedicated to forest administration in the forest root
> > domain.
> >
> >
> >
> >
> >
> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
> wrote:
> >>
> >> no empty root... single Domain FTW!
> >>
> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
> >> wrote:
> >>>
> >>> I am looking at moving from a convoluted multi-domain environment to a
> >>> single domain, single forest model. We only have roughly 20,000
> >>> objects (users, computers, etc). We are in the final stages of design
> >>> and have stumbled on a question. It is half dozen of one, six of the
> >>> other. Do we setup an empty forest root domain or just use the forest
> >>> root domain for our setup?
> >>>
> >>> If we go with an empty root, our domain model will look like: Forest
> >>> Root = company.com; Populated Domain: ldap.company.com.
> >>>
> >>> If we go with a populated root, we would just go with
> >>> ldap.company.com. Any suggestions? We want to get this right but the
> >>> arguments for and against the empty root are sort of fluffy. I'm at
> >>> the point of just picking one but I wanted to check with the real
> >>> experts before assuming the decision doesn't really matter at the end
> >>> of the day.
> >>>
> >>> Thanks for the advice!
> >>>
> >>> A
> >>
> >
> >
> >
> > --
> > Jonathan Chaves Avalos
> > jochaves@gmail.com
> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a la
> > libertad de juicio.
> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
> >
>
>
>
> --
> Andrew J Healey
> http://halfloaded.com
>
>
| | | |
| andrew
Posts:77
| | 06/11/2009 9:19 PM |
| Lucky that wasn't pr0n!
On 11/06/2009, Pat Goss <gossp13@gmail.com> wrote:
> Sorry, to many windows open, selected the wrong one!
>
> Try this one out.
>
> http://technet.microsoft.com/en-us/library/cc726016(WS.10).aspx
>
> -pat
>
> On Thu, Jun 11, 2009 at 12:12 PM, Andrew Healey <drewhealey@gmail.com>wrote:
>
>> I read that article. However, it is from the Server 2000 Best
>> Practices. MS Best Practices have changed in the last ~8 years.
>>
>> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
>> wrote:
>> >
>> > Best Practice Active Directory Design for Managing Windows Networks
>> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>> >
>> >
>> >
>> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>> >
>> > Reason
>> >
>> > Explanation
>> >
>> > Fewer administrators can make forest-wide changes
>> >
>> > Limiting the forest root domain administrative membership reduces the
>> > likelihood that an administrative error will impact the entire forest.
>> >
>> > Easily replicated for forest backup
>> >
>> > A small root domain can be easily replicated anywhere on your network to
>> > provide protection against geographically centered catastrophes.
>> >
>> > Never becomes obsolete
>> >
>> > You can never retire the root domain, even if your organization changes.
>> A
>> > dedicated root domain never becomes obsolete because it functions solely
>> as
>> > the forest root.
>> >
>> > Ownership easily transferred
>> >
>> > Transferring ownership of the root domain to transfer forest ownership
>> does
>> > not involve migrating production data or resources.
>> >
>> > The role of the forest root domain centers on defining and managing the
>> > infrastructure. Managing the directory infrastructure requires new
>> > administrative roles and responsibilities. Plan to reserve the dedicated
>> > root domain for forest administration exclusively. Avoid including any
>> users
>> > or resources not dedicated to forest administration in the forest root
>> > domain.
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
>> wrote:
>> >>
>> >> no empty root... single Domain FTW!
>> >>
>> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> >> wrote:
>> >>>
>> >>> I am looking at moving from a convoluted multi-domain environment to a
>> >>> single domain, single forest model. We only have roughly 20,000
>> >>> objects (users, computers, etc). We are in the final stages of design
>> >>> and have stumbled on a question. It is half dozen of one, six of the
>> >>> other. Do we setup an empty forest root domain or just use the forest
>> >>> root domain for our setup?
>> >>>
>> >>> If we go with an empty root, our domain model will look like: Forest
>> >>> Root = company.com; Populated Domain: ldap.company.com.
>> >>>
>> >>> If we go with a populated root, we would just go with
>> >>> ldap.company.com. Any suggestions? We want to get this right but the
>> >>> arguments for and against the empty root are sort of fluffy. I'm at
>> >>> the point of just picking one but I wanted to check with the real
>> >>> experts before assuming the decision doesn't really matter at the end
>> >>> of the day.
>> >>>
>> >>> Thanks for the advice!
>> >>>
>> >>> A
>> >>
>> >
>> >
>> >
>> > --
>> > Jonathan Chaves Avalos
>> > jochaves@gmail.com
>> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a
>> > la
>> > libertad de juicio.
>> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
>> >
>>
>>
>>
>> --
>> Andrew J Healey
>> http://halfloaded.com
>>
>
--
Sent from my mobile device
| | | |
| andrew
Posts:77
| | 06/11/2009 9:25 PM |
| I agree it certainly is possible to rename but it's not something you
want to do lightly. It's one of those operations that are tricky to
undo in the event of problems.
Thanks
Andrew
On 11/06/2009, Rick Sheikh <getshq@gmail.com> wrote:
> Good call Gabriele. I too remember that being possible. I am interested in
> knowing why some think its not.
>
> On Thu, Jun 11, 2009 at 2:56 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
>
>> See also Tony's article:
>>
>> http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId
>> /68/Default.aspx<http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId%0A/68/Default.aspx>
>>
>> Gabriele.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Mark Parris (L)
>> Sent: giovedì 11 giugno 2009 18.45
>> To: ActiveDir
>> Subject: Re: [ActiveDir] To Empty Root or Not?
>>
>> I recommend searching this lists archive it has come up many times before
>> -
>> I even remember asking this same question a few years ago.
>>
>>
>> Regards,
>>
>> Mark Parris
>>
>> [ADUG] UK Active Directory User Group
>> http://adug.co.uk
>>
>> -----Original Message-----
>> From: Andrew Healey <drewhealey@gmail.com>
>>
>> Date: Thu, 11 Jun 2009 09:12:20
>> To: <activedir@mail.activedir.org>
>> Subject: Re: [ActiveDir] To Empty Root or Not?
>>
>>
>> I read that article. However, it is from the Server 2000 Best
>> Practices. MS Best Practices have changed in the last ~8 years.
>>
>> On Thu, Jun 11, 2009 at 9:06 AM, Jonathan Chaves<jochaves@gmail.com>
>> wrote:
>> >
>> > Best Practice Active Directory Design for Managing Windows Networks
>> > http://technet.microsoft.com/en-us/library/bb727085.aspx#EHAA
>> >
>> >
>> >
>> > Table 8 Reasons for Including a Dedicated Forest Root in Your Design
>> >
>> > Reason
>> >
>> > Explanation
>> >
>> > Fewer administrators can make forest-wide changes
>> >
>> > Limiting the forest root domain administrative membership reduces the
>> > likelihood that an administrative error will impact the entire forest.
>> >
>> > Easily replicated for forest backup
>> >
>> > A small root domain can be easily replicated anywhere on your network to
>> > provide protection against geographically centered catastrophes.
>> >
>> > Never becomes obsolete
>> >
>> > You can never retire the root domain, even if your organization changes.
>> A
>> > dedicated root domain never becomes obsolete because it functions solely
>> as
>> > the forest root.
>> >
>> > Ownership easily transferred
>> >
>> > Transferring ownership of the root domain to transfer forest ownership
>> does
>> > not involve migrating production data or resources.
>> >
>> > The role of the forest root domain centers on defining and managing the
>> > infrastructure. Managing the directory infrastructure requires new
>> > administrative roles and responsibilities. Plan to reserve the dedicated
>> > root domain for forest administration exclusively. Avoid including any
>> users
>> > or resources not dedicated to forest administration in the forest root
>> > domain.
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Jun 11, 2009 at 10:01 AM, Brandon Shell <tshell@gmail.com>
>> wrote:
>> >>
>> >> no empty root... single Domain FTW!
>> >>
>> >> On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>
>> >> wrote:
>> >>>
>> >>> I am looking at moving from a convoluted multi-domain environment to a
>> >>> single domain, single forest model. We only have roughly 20,000
>> >>> objects (users, computers, etc). We are in the final stages of design
>> >>> and have stumbled on a question. It is half dozen of one, six of the
>> >>> other. Do we setup an empty forest root domain or just use the forest
>> >>> root domain for our setup?
>> >>>
>> >>> If we go with an empty root, our domain model will look like: Forest
>> >>> Root = company.com; Populated Domain: ldap.company.com.
>> >>>
>> >>> If we go with a populated root, we would just go with
>> >>> ldap.company.com. Any suggestions? We want to get this right but the
>> >>> arguments for and against the empty root are sort of fluffy. I'm at
>> >>> the point of just picking one but I wanted to check with the real
>> >>> experts before assuming the decision doesn't really matter at the end
>> >>> of the day.
>> >>>
>> >>> Thanks for the advice!
>> >>>
>> >>> A
>> >>
>> >
>> >
>> >
>> > --
>> > Jonathan Chaves Avalos
>> > jochaves@gmail.com
>> > La mejor crítica es la que no responde a la voluntad de ofensa, sino a
>> > la
>> > libertad de juicio.
>> > -- Fernando Sánchez Dragó. (1936-) Escritor español.
>> >
>>
>>
>>
>> --
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>
--
Sent from my mobile device
| | | |
| oz.ozugurlu
Posts:38
| | 06/11/2009 9:45 PM |
| I believe only reason to implement emty Root domain was to protect the
Enterprise Admin which is no longer needed ,
Single domain, single DNS name space is the best implementation in my
opinion, using delegations and designing OU structure without making it to
complex also is one of the good way to consider.
--oz
Oz Casey Dedeal
On Thu, Jun 11, 2009 at 11:57 AM, Andrew Healey <drewhealey@gmail.com>wrote:
> I am looking at moving from a convoluted multi-domain environment to a
> single domain, single forest model. We only have roughly 20,000
> objects (users, computers, etc). We are in the final stages of design
> and have stumbled on a question. It is half dozen of one, six of the
> other. Do we setup an empty forest root domain or just use the forest
> root domain for our setup?
>
> If we go with an empty root, our domain model will look like: Forest
> Root = company.com; Populated Domain: ldap.company.com.
>
> If we go with a populated root, we would just go with
> ldap.company.com. Any suggestions? We want to get this right but the
> arguments for and against the empty root are sort of fluffy. I'm at
> the point of just picking one but I wanted to check with the real
> experts before assuming the decision doesn't really matter at the end
> of the day.
>
> Thanks for the advice!
>
> A
>
--
Oz Casey Dedeal
Systems Engineer
MVP (exchange)
MCITP (EMA) ,MCITP(EA),MCITP(SA),
MCSE 2003| M+| S+ | MCDST
Security+|Project+| Server+|
oz@SMTp25.org
http://smtp25.blogspot.com (Blog)
http://telnet25.wordpress.com/ (Blog)
http://telnet25.spaces.live.com/ (Blog)
| | | |
|
|