| Author | Messages | |
listmail
Posts:821
 | | 07/08/2009 6:48 PM |
| Single Domain Model would be the preferred end state. Managing two domains
in this case would be silly, IMHO. There are no gains in security nor
availability doing it this way and with Windows Server 2008 the
password/lockout policy stuff is granular so that isn't a concern either,
you are simply adding management overhead. The one reason I can see off the
top of my head is that it is cheaper to move 50% of the users and computers
than 100%. But quite honestly, down the road someone is going to say, this
is silly, let's just collapse to the root domain and it will happen anyway.
If someone doesn't want to commit all the way but wants to collapse all but
the root and NA, then collapse EU and AP into the root, at least you are
going in the right direction then.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: Rick Sheikh [mailto:getshq@gmail.com]
Sent: Wednesday, July 08, 2009 8:59 AM
To: joe; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Revisiting the infamous topic of multiple child
domains vs Single domain fo
Joe, if your advice on AD doesn't matter than I don't know whose does.
Right now, the way those 6000 users are dispersed into three new target
(child) domains are something along the lines of NA(50%),EU(25%),AP(25%).
For some reason, management is more acceptable to 1+1 model, being in this
situation I deem that lesser evil than the current model. But you also don't
see any reason whatsoever of NOT dumping everything into the root and end up
with a single-domain forest at the end of the day ?
Thanks,
On Wed, Jul 8, 2009 at 6:54 AM, joe <listmail@joeware.net> wrote:
Subject: RE: [ActiveDir] Revisiting the infamous topic of multiple child
domains vs Single domain forest
Date: Wed, 8 Jul 2009 07:51:06 -0400
Message-ID: <4497A03061E7485080A6D4C30D9CEA3E@test.loc>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0B54_01C9FFA0.D9CF6DF0"
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
In-Reply-To:
<9F12C1D07D672344A7A0D89FAC93214F0E760DF0@BL2PRD0102MB003.prod.exchangelabs.
com>
Thread-Index: AQHJ/1OMc1d/Nwi7g0iTYUauC36D0ZBqqgQAgAAAnoCAANoxsA==
Precedence: bulk
Sender: activedir-owner@mail.activedir.org
Reply-To: activedir@mail.activedir.org
This is a multi-part message in MIME format.
------=_NextPart_000_0B54_01C9FFA0.D9CF6DF0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I concur if it matters. 
If you are going through cleaning up, clean up to a single domain, not a new
subdomain. The one exception I could think of is if say 90% of the
users/machines were in one domain already. Then maybe you would consider
pulling things into that domain so you hit the least amount of
users/machines. Gets you closer to a collapsed environment with minimal
work. But the goal would still be to roll everything into the root if there
are no other reasons to keep the multiple domains. For 6000 users, I don't
think I ever would have thought to split it up in the first place but wasn't
there in the room during the initial planning. Someone may have had a
certain set of things in mind that made sense.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, July 07, 2009 6:46 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Revisiting the infamous topic of multiple child
domains vs Single domain forest
Correct
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Tuesday, July 07, 2009 5:43 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Revisiting the infamous topic of multiple child
domains vs Single domain forest
And yes hitting every workstation in each domain to now roll it into the
root would be really painful.
Brian, I assume you are still pretty solid on single-domain forest as oppose
to that CORP.root.int (as 1+1) analogy I put forth ? You don't see any
reason why I should NOT go directly into root ?
On Tue, Jul 7, 2009 at 5:36 PM, Rick Sheikh <getshq@gmail.com> wrote:
Thanks everyone and Brian yes,I do feel the same about GCs sharing forest
specific data to all DCs as all DCs are GCs. And I think had there been a
legal ramification in picture, this issue would have arrived earlier as
mentioned earlier this was a merger and one company had prior been operating
under single domain forest and had offices in Paris, London and Madrid and
some APAC regions as well. So I hope that is not a legal concern.but I will
check. And no the WAN pipes are pretty good too.
I am just trying to gather as much info as possible to table these facts in
front of the CIO next week. When Exchange as messaging solution in picture,
can a point of it being simpler implementation in a consolidated
single-domain forest be also valid ?
Please pass on if any one has any case study or an article to share.
Thanks,
On Tue, Jul 7, 2009 at 4:37 PM, Charlie Kaiser <charliek@golden-eagle.org>
wrote:
Yep. Thus the need for good planning...
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Tuesday, July 07, 2009 1:56 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Revisiting the infamous topic of
> multiple child domains vs Single domain forest
>
> Global Catalog leaks the data either way depending what the
> definition of the "data" is.
------=_NextPart_000_0B54_01C9FFA0.D9CF6DF0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:v =3D=20
"urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word" xmlns:x =3D=20
"urn:schemas-microsoft-com:office:excel" xmlns:p =3D=20
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =3D=20
"urn:schemas-microsoft-com:office:access" xmlns:dt =3D=20
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =3D=20
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =3D=20
"urn:schemas-microsoft-com:rowset" xmlns:z =3D "#RowsetSchema" xmlns:b =
=3D=20
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =3D=20
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =3D=20
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc =3D=20
"urn:schemas-microsoft-com:office:odc" xmlns:oa =3D=20
"urn:schemas-microsoft-com:office:activation" xmlns:html =3D=20
"http://www.w3.org/TR/REC-html40" xmlns:q =3D=20
"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc =3D=20
"http://microsoft.com/officenet/conferencing" XMLNS =3D "DAV:" =
XMLNS:Repl =3D=20
"http://schemas.microsoft.com/repl/" xmlns:mt =3D=20
"http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2 =3D=20
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda =3D=20
"http://www.passport.com/NameSpace.xsd" xmlns:ois =3D=20
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =3D=20
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =3D=20
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =3D=20
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =3D=20
"http://schemas.microsoft.com/data/udc" xmlns:xsd =3D=20
"http://www.w3.org/2001/XMLSchema" xmlns:sub =3D=20
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
=3D=20
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =3D=20
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =3D=20
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =3D=20
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs =3D=20
"http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf =3D=20
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p =3D=20
"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf =3D=20
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss =3D=20
"http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi =3D=20
"http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi =3D=20
"http://schemas.openxmlformats.org/package/2006/digital-signature" =
xmlns:mver =3D=20
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
=3D=20
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =3D=20
"http://schemas.openxmlformats.org/package/2006/relationships" =
xmlns:spwp =3D=20
"http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t =3D=20
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
=3D=20
"http://schemas.microsoft.com/exchange/services/2006/messages" =
xmlns:pptsl =3D=20
"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl =
=3D=20
"http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksSe=
rvice"=20
XMLNS:Z =3D "urn:schemas-microsoft-com:" xmlns:st =3D "=01"><HEAD>
<META content=3D"text/html; charset=3Dus-ascii" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18783">
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif";
FONT-SIZE: =
12pt
}
LI.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif";
FONT-SIZE: =
12pt
}
DIV.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif";
FONT-SIZE: =
12pt
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: #000066; FONT-WEIGHT:
bold; =
mso-style-type: personal-reply
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=3DEN-US link=3Dblue vLink=3Dpurple>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D665324611-08072009><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial>I concur if it matters. </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D665324611-08072009><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D665324611-08072009><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial>If you are going through cleaning up, clean up to =
a single=20
domain, not a new subdomain. The one exception I could think of is if =
say 90% of=20
the users/machines were in one domain already. Then maybe you would =
consider=20
pulling things into that domain so you hit the least amount of =
users/machines.=20
Gets you closer to a collapsed environment with minimal work. But the =
goal would=20
still be to roll everything into the root if there are no other reasons =
to keep=20
the multiple domains. For 6000 users, I don't think I ever would have =
thought to=20
split it up in the first place but wasn't there in the room during the =
initial=20
planning. Someone may have had a certain set of things in mind that made =
sense.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D665324611-08072009><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D665324611-08072009><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial> joe</FONT> </SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN =
class=3D665324611-08072009></SPAN><FONT size=3D2=20
face=3DArial><SPAN class=3D665324611-08072009></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT size=3D2 =
face=3DArial></FONT> </DIV>
<DIV align=3Dleft>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D625444604-27012006><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial>--</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D625444604-27012006><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial>O'Reilly Active Directory Fourth Edition - <A=20
title=3Dblocked::http://www.joeware.net/win/ad3e.htm=20
<http://www.joeware.net/win/ad3e.htm=20%0Ahref=3D>
href=3D"http://www.joeware.net/win/ad4e.htm">http://www.joeware.net/win/a=
<http://www.joeware.net/win/a=%0Ad4e.htm>
d4e.htm</A> </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D625444604-27012006><FONT =
color=3D#0000ff=20
size=3D2 face=3DArial></FONT></SPAN> </DIV></DIV>
<DIV> </DIV><BR>
<DIV dir=3Dltr lang=3Den-us class=3DOutlookMessageHeader align=3Dleft>
<HR tabIndex=3D-1>
<FONT size=3D2 face=3DTahoma><B>From:</B> =
activedir-owner@mail.activedir.org=20
[mailto:activedir-owner@mail.activedir.org] <B>On Behalf Of </B>Brian=20
Desmond<BR><B>Sent:</B> Tuesday, July 07, 2009 6:46 PM<BR><B>To:</B>=20
activedir@mail.activedir.org<BR><B>Subject:</B> RE: [ActiveDir] =
Revisiting the=20
infamous topic of multiple child domains vs Single domain=20
forest<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt">Correct<o:p></o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt"><o:p> </o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt">Thanks,<o:p></o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt">Brian=20
Desmond<o:p></o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt">brian@briandesmond.com<o:p></o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt"><o:p> </o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt">c -=20
312.731.3132<o:p></o:p></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #000066; FONT-SIZE: =
11pt"><o:p> </o:p></SPAN></B></P>
<DIV=20
style=3D"BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; =
PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: =
#b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=3DMsoNormal><B><SPAN=20
style=3D"FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: =
10pt">From:</SPAN></B><SPAN=20
style=3D"FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">=20
activedir-owner@mail.activedir.org =
[mailto:activedir-owner@mail.activedir.org]=20
<B>On Behalf Of </B>Rick Sheikh<BR><B>Sent:</B> Tuesday, July 07, 2009 =
5:43=20
PM<BR><B>To:</B> activedir@mail.activedir.org<BR><B>Subject:</B> Re: =
[ActiveDir]=20
Revisiting the infamous topic of multiple child domains vs Single domain =
forest<o:p></o:p></SPAN></P></DIV>
<P class=3DMsoNormal><o:p> </o:p></P>
<P style=3D"MARGIN-BOTTOM: 12pt" class=3DMsoNormal>And yes hitting every =
workstation=20
in each domain to now roll it into the root would be really=20
painful.<BR><BR>Brian, I assume you are still pretty solid on =
single-domain=20
forest as oppose to that <A =
href=3D"http://CORP.root.int">CORP.root.int</A> (as=20
1+1) analogy I put forth ? You don't see any reason why I should NOT go =
directly=20
into root ?<BR><BR><BR><o:p></o:p></P>
<DIV>
<P class=3DMsoNormal>On Tue, Jul 7, 2009 at 5:36 PM, Rick Sheikh <<A=20
href=3D"mailto:getshq@gmail.com">getshq@gmail.com</A>> =
wrote:<o:p></o:p></P>
<P class=3DMsoNormal>Thanks everyone and Brian yes,I do feel the same =
about GCs=20
sharing forest specific data to all DCs as all DCs are GCs. And I think =
had=20
there been a legal ramification in picture, this issue would have =
arrived=20
earlier as mentioned earlier this was a merger and one company had prior =
been=20
operating under single domain forest and had offices in Paris, London =
and Madrid=20
and some APAC regions as well. So I hope that is not a legal concern.but =
I will=20
check. And no the WAN pipes are pretty good too.<BR><BR>I am just trying =
to=20
gather as much info as possible to table these facts in front of the CIO =
next=20
week. When Exchange as messaging solution in picture, can a point of it =
being=20
simpler implementation in a consolidated single-domain forest be also =
valid=20
?<BR><BR>Please pass on if any one has any case study or an article to=20
share.<BR><BR>Thanks,<o:p></o:p></P>
<DIV>
<DIV>
<P style=3D"MARGIN-BOTTOM: 12pt" class=3DMsoNormal><FONT color=3D#0000ff =
size=3D2=20
face=3DArial></FONT><BR><BR><o:p></o:p></P>
<DIV>
<P class=3DMsoNormal>On Tue, Jul 7, 2009 at 4:37 PM, Charlie Kaiser =
<<A=20
href=3D"mailto:charliek@golden-eagle.org"=20
target=3D_blank>charliek@golden-eagle.org</A>> wrote:<o:p></o:p></P>
<P class=3DMsoNormal>Yep. Thus the need for good =
planning...<o:p></o:p></P>
<DIV>
<P class=3DMsoNormal><FONT color=3D#0000ff size=3D2=20
face=3DArial></FONT><BR>***********************<BR>Charlie Kaiser<BR><A=20
href=3D"mailto:charliek@golden-eagle.org"=20
target=3D_blank>charliek@golden-eagle.org</A><BR>Kingman,=20
AZ<BR>***********************<BR><BR>> -----Original =
Message-----<BR>>=20
From: <A href=3D"mailto:activedir-owner@mail.activedir.org"=20
target=3D_blank>activedir-owner@mail.activedir.org</A><o:p></o:p></P></DI=
V>
<DIV>
<P class=3DMsoNormal>> [mailto:<A=20
href=3D"mailto:activedir-owner@mail.activedir.org"=20
target=3D_blank>activedir-owner@mail.activedir.org</A>] On Behalf Of =
Brian=20
Desmond<BR>> Sent: Tuesday, July 07, 2009 1:56 PM<BR>> To: <A=20
href=3D"mailto:activedir@mail.activedir.org"=20
target=3D_blank>activedir@mail.activedir.org</A><BR>> Subject: RE: =
[ActiveDir]=20
Revisiting the infamous topic of<BR>> multiple child domains vs =
Single domain=20
forest<BR>><o:p></o:p></P></DIV>
<DIV>
<DIV>
<P style=3D"MARGIN-BOTTOM: 12pt" class=3DMsoNormal>> Global Catalog =
leaks the=20
data either way depending what the<BR>> definition of the "data"=20
is.<o:p></o:p></P></DIV></DIV></DIV>
<P class=3DMsoNormal><o:p> </o:p></P></DIV></DIV></DIV>
<P class=3DMsoNormal><o:p> </o:p></P></DIV></BODY></HTML>
------=_NextPart_000_0B54_01C9FFA0.D9CF6DF0--
| | | |
|
|