Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Randy
Randy [message #412136] Mon, 15 March 2010 06:15 Go to next message
Sankar Ganesh  is currently offline Sankar Ganesh  United States
Messages: 2
Registered: March 2010
Junior Member
Hi Rand,

Have you completed your project. Because right now i am having same scenario.. if you completed this project can you guide me to implement by providing domain structure.

I need to sumbit the proposal to the management.

thank you very much in advance

shankar



Randy Jackson wrote:

Place holder root domain advantage
05-Aug-08

I've been struggling with a domain design to choose. I've always read that
it is best practice design to create an empty place holder root domain to
hold the enterprise admin group and to hold the forest schema operations
role. Then have another domain to hold all users/groups/computers. The
alternative being one domain, that holds all of the above.

There is obviously additional hardware costs associated with the empty place
holder domain, but there isn't going to be much administrative overhead
since the domain is going to me basically unused.

What are the underlying reasons why the place holder root domain is setup
and should this domain design be favored in a large enterprise organization
vs the single domain model?

Thank you.

Previous Posts In This Thread:

On Tuesday, August 05, 2008 9:36 PM
Randy Jackson wrote:

Place holder root domain advantage
I've been struggling with a domain design to choose. I've always read that
it is best practice design to create an empty place holder root domain to
hold the enterprise admin group and to hold the forest schema operations
role. Then have another domain to hold all users/groups/computers. The
alternative being one domain, that holds all of the above.

There is obviously additional hardware costs associated with the empty place
holder domain, but there isn't going to be much administrative overhead
since the domain is going to me basically unused.

What are the underlying reasons why the place holder root domain is setup
and should this domain design be favored in a large enterprise organization
vs the single domain model?

Thank you.

On Wednesday, August 06, 2008 12:50 AM
Ace Fekay [MVP Directory Services] wrote:

Re: Place holder root domain advantage
"Randy Jackson" <jacksors@yahoo.com> wrote in message
news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...

You've stated the basic reasons. A place holder for the tree, offering a
contiguous namespace, as well as hiding the EA and Schema Admins.

In the past, back in the early 2000 days, it was the basic thinking to use
an empty root. However, the design mentality of an empty root has changed
with increased features and changes in 2003 security, or basically because
of budget. So the most common designs are simply one domain unless you need
across the pond or business partner migrated domains in a decentralized
delegation. Keep in mind, you can protect a single domain design by keeping
everyone else out of the Domain Admins group and use OU or specific
delegation.

I remember at one point when arguing about having an empty root or just one
domain, that as a child domain admin, I was able to access certain parts of
the containers using ADSI Edit and could have done damage for the forest. So
why bother with the empty root? But like I said, security has changed.

I remember you posted before about Exchange design concerns, but not sure if
we discussed number of users and Sites, or other specifics for a directory
service. How many users? Sites?

--
--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

On Wednesday, August 06, 2008 8:47 AM
Paul Bergson [MVP-DS] wrote:

This is no longer a recommended strategy.
This is no longer a recommended strategy. Microsoft now recommends to keep
it as simple as possible with as few domains as your enterprise can use.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Randy Jackson" <jacksors@yahoo.com> wrote in message
news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...

On Wednesday, August 06, 2008 8:57 AM
jacksor wrote:

Thank you Ace, that information is very helpful.
Thank you Ace, that information is very helpful.

We are presently planning our migration strategy to seperate from our parent
company and form our own independent company.

We will be implementing Windows 2008 ADDS and migrating over approximately
800 user accounts and 900 Exchange mailboxes. I believe the present
environment is Windows 2003 AD (running in 2000 native mode) with Exchange
2003. We will be forming 3 AD sites. One site will be for our corporate
office location, one for our data center facility located offsite, and one
for regional offices in another part of the country. We at present do not
have any international presence but that it is very likely we will. I've been
questioning whether we need to have seperate sites for our data center and
corporate office, but they will be seperated by a WAN link, I think for
replication purposes and making sure users hit a DC on the subnet at
corporate before trying to hit one at the data center we should have seperate
sites defined.

With this fairly simple break out and small number of users (we are
expecting to almost double our size in about 2 yrs) would a single model
domain make the most sense?

If a user was a domain admin in this model, what prevents them from
modifying attributes that can effect the whole forest rather than just the
domain? This domain would hold the forest schema, would domain admins have
access to make changes to that or only Enterprise Admins?

Thanks for your advice.

"Ace Fekay [MVP Directory Services]" wrote:

On Wednesday, August 06, 2008 9:18 AM
jacksor wrote:

Thanks Paul. What AD version prompted this best practice change?
Thanks Paul. What AD version prompted this best practice change?

"Paul Bergson [MVP-DS]" wrote:

On Wednesday, August 06, 2008 12:17 PM
Paul Bergson [MVP-DS] wrote:

If I recall correctly it started with the release of AD (2000).
If I recall correctly it started with the release of AD (2000).

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...

On Thursday, August 07, 2008 10:14 PM
jacksor wrote:

Paul,I have a follow up question.
Paul,

I have a follow up question. Old best practice said to not use your
routeable internet domain name as the domain for your forest root domain. Is
that still a best practice or do to enhanced security does that no longer
matter as well?

Thanks.

"Paul Bergson [MVP-DS]" wrote:

On Friday, August 08, 2008 8:47 AM
Paul Bergson [MVP-DS] wrote:

That is the recommend course strategy, but to be honest we don't follow that.
That is the recommend course strategy, but to be honest we don't follow
that. I don't know if it was security related or just the fact you need to
be able to manage dns and not expose your internal boxes ip addresses, which
we do both.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...

On Friday, August 08, 2008 10:19 AM
jacksor wrote:

Everything I've read, at least for older AD installations, that a domain admin
Everything I've read, at least for older AD installations, that a domain
admin in a single forest root domain model, could gain enterprise admin
permissions and modify the schema and cause forest wide damage. I was hoping
to avoid that security issue. Is that scenario even possible in AD 2008?

"Paul Bergson [MVP-DS]" wrote:

On Friday, August 08, 2008 11:59 AM
Paul Bergson [MVP-DS] wrote:

Any admin in a forest, if smart enough can work to gain permissions to become
Any admin in a forest, if smart enough can work to gain permissions to
become an enterprise admin. Security boundaries are between forests.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:39F1A95A-605F-4135-854D-A05979434BA1@microsoft.com...

On Friday, August 08, 2008 2:52 PM
jacksor wrote:

Re: Place holder root domain advantage
Thank you for the info.

"Paul Bergson [MVP-DS]" wrote:

On Saturday, August 09, 2008 12:29 AM
Ace Fekay [MVP Directory Services] wrote:

Re: Place holder root domain advantage
"jacksors" <jacksors@discussions.microsoft.com> wrote in message
news:B549073F-A100-402E-A398-7C50D6B92D7F@microsoft.com...

I would like to add about not using the same external name is it's less DNS
administrative overhead of having to create shadow records internally so
internal folks can access the external website, assuming it's hosted
externally. Also a biggy is that internal folks cannot access an externally
hosted site using the URL without the 'www' portion because that record get
registered by each DC in a domain. There are ways around it, but the truth
of the matter comes back to the additional administrative overhead.

As for a single domain, that's as secure as it's going to get even compared
to having an empty root. Just keep control of your admin and admin rights.

Ace


Submitted via EggHeadCafe - Software Developer Portal of Choice
SharePoint Video Library Template Available For Download
http://www.eggheadcafe.com/tutorials/aspnet/223c6e57-f81f-44 b3-ab05-5995f2b0ab63/sharepoint-video-library.aspx
Re: Randy [message #412146 is a reply to message #412136] Mon, 15 March 2010 06:44 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
There is no longer the recommended scenario to create an empty forest root.
You should describe what you want to provide for your company and someone
within this forum should be able to give you a starting point, but you will
have to do some work for this yourself. You know your compnay much better
than anyone else.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
<Sankar Ganesh> wrote in message
news:201031581524a.sankarmcse@googlemail.com...
> Hi Rand,
>
> Have you completed your project. Because right now i am having same
> scenario.. if you completed this project can you guide me to implement by
> providing domain structure.
>
> I need to sumbit the proposal to the management.
>
> thank you very much in advance
>
> shankar
>
>
>
> Randy Jackson wrote:
>
> Place holder root domain advantage
> 05-Aug-08
>
> I've been struggling with a domain design to choose. I've always read that
> it is best practice design to create an empty place holder root domain to
> hold the enterprise admin group and to hold the forest schema operations
> role. Then have another domain to hold all users/groups/computers. The
> alternative being one domain, that holds all of the above.
>
> There is obviously additional hardware costs associated with the empty
> place
> holder domain, but there isn't going to be much administrative overhead
> since the domain is going to me basically unused.
>
> What are the underlying reasons why the place holder root domain is setup
> and should this domain design be favored in a large enterprise
> organization
> vs the single domain model?
>
> Thank you.
>
> Previous Posts In This Thread:
>
> On Tuesday, August 05, 2008 9:36 PM
> Randy Jackson wrote:
>
> Place holder root domain advantage
> I've been struggling with a domain design to choose. I've always read that
> it is best practice design to create an empty place holder root domain to
> hold the enterprise admin group and to hold the forest schema operations
> role. Then have another domain to hold all users/groups/computers. The
> alternative being one domain, that holds all of the above.
>
> There is obviously additional hardware costs associated with the empty
> place
> holder domain, but there isn't going to be much administrative overhead
> since the domain is going to me basically unused.
>
> What are the underlying reasons why the place holder root domain is setup
> and should this domain design be favored in a large enterprise
> organization
> vs the single domain model?
>
> Thank you.
>
> On Wednesday, August 06, 2008 12:50 AM
> Ace Fekay [MVP Directory Services] wrote:
>
> Re: Place holder root domain advantage
> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>
> You've stated the basic reasons. A place holder for the tree, offering a
> contiguous namespace, as well as hiding the EA and Schema Admins.
>
> In the past, back in the early 2000 days, it was the basic thinking to use
> an empty root. However, the design mentality of an empty root has changed
> with increased features and changes in 2003 security, or basically because
> of budget. So the most common designs are simply one domain unless you
> need
> across the pond or business partner migrated domains in a decentralized
> delegation. Keep in mind, you can protect a single domain design by
> keeping
> everyone else out of the Domain Admins group and use OU or specific
> delegation.
>
> I remember at one point when arguing about having an empty root or just
> one
> domain, that as a child domain admin, I was able to access certain parts
> of
> the containers using ADSI Edit and could have done damage for the forest.
> So
> why bother with the empty root? But like I said, security has changed.
>
> I remember you posted before about Exchange design concerns, but not sure
> if
> we discussed number of users and Sites, or other specifics for a directory
> service. How many users? Sites?
>
> --
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
> On Wednesday, August 06, 2008 8:47 AM
> Paul Bergson [MVP-DS] wrote:
>
> This is no longer a recommended strategy.
> This is no longer a recommended strategy. Microsoft now recommends to
> keep
> it as simple as possible with as few domains as your enterprise can use.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Randy Jackson" <jacksors@yahoo.com> wrote in message
> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>
> On Wednesday, August 06, 2008 8:57 AM
> jacksor wrote:
>
> Thank you Ace, that information is very helpful.
> Thank you Ace, that information is very helpful.
>
> We are presently planning our migration strategy to seperate from our
> parent
> company and form our own independent company.
>
> We will be implementing Windows 2008 ADDS and migrating over approximately
> 800 user accounts and 900 Exchange mailboxes. I believe the present
> environment is Windows 2003 AD (running in 2000 native mode) with Exchange
> 2003. We will be forming 3 AD sites. One site will be for our corporate
> office location, one for our data center facility located offsite, and one
> for regional offices in another part of the country. We at present do not
> have any international presence but that it is very likely we will. I've
> been
> questioning whether we need to have seperate sites for our data center and
> corporate office, but they will be seperated by a WAN link, I think for
> replication purposes and making sure users hit a DC on the subnet at
> corporate before trying to hit one at the data center we should have
> seperate
> sites defined.
>
> With this fairly simple break out and small number of users (we are
> expecting to almost double our size in about 2 yrs) would a single model
> domain make the most sense?
>
> If a user was a domain admin in this model, what prevents them from
> modifying attributes that can effect the whole forest rather than just the
> domain? This domain would hold the forest schema, would domain admins have
> access to make changes to that or only Enterprise Admins?
>
> Thanks for your advice.
>
> "Ace Fekay [MVP Directory Services]" wrote:
>
> On Wednesday, August 06, 2008 9:18 AM
> jacksor wrote:
>
> Thanks Paul. What AD version prompted this best practice change?
> Thanks Paul. What AD version prompted this best practice change?
>
> "Paul Bergson [MVP-DS]" wrote:
>
> On Wednesday, August 06, 2008 12:17 PM
> Paul Bergson [MVP-DS] wrote:
>
> If I recall correctly it started with the release of AD (2000).
> If I recall correctly it started with the release of AD (2000).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
>
> On Thursday, August 07, 2008 10:14 PM
> jacksor wrote:
>
> Paul,I have a follow up question.
> Paul,
>
> I have a follow up question. Old best practice said to not use your
> routeable internet domain name as the domain for your forest root domain.
> Is
> that still a best practice or do to enhanced security does that no longer
> matter as well?
>
> Thanks.
>
> "Paul Bergson [MVP-DS]" wrote:
>
> On Friday, August 08, 2008 8:47 AM
> Paul Bergson [MVP-DS] wrote:
>
> That is the recommend course strategy, but to be honest we don't follow
> that.
> That is the recommend course strategy, but to be honest we don't follow
> that. I don't know if it was security related or just the fact you need
> to
> be able to manage dns and not expose your internal boxes ip addresses,
> which
> we do both.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
>
> On Friday, August 08, 2008 10:19 AM
> jacksor wrote:
>
> Everything I've read, at least for older AD installations, that a domain
> admin
> Everything I've read, at least for older AD installations, that a domain
> admin in a single forest root domain model, could gain enterprise admin
> permissions and modify the schema and cause forest wide damage. I was
> hoping
> to avoid that security issue. Is that scenario even possible in AD 2008?
>
> "Paul Bergson [MVP-DS]" wrote:
>
> On Friday, August 08, 2008 11:59 AM
> Paul Bergson [MVP-DS] wrote:
>
> Any admin in a forest, if smart enough can work to gain permissions to
> become
> Any admin in a forest, if smart enough can work to gain permissions to
> become an enterprise admin. Security boundaries are between forests.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:39F1A95A-605F-4135-854D-A05979434BA1@microsoft.com...
>
> On Friday, August 08, 2008 2:52 PM
> jacksor wrote:
>
> Re: Place holder root domain advantage
> Thank you for the info.
>
> "Paul Bergson [MVP-DS]" wrote:
>
> On Saturday, August 09, 2008 12:29 AM
> Ace Fekay [MVP Directory Services] wrote:
>
> Re: Place holder root domain advantage
> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
> news:B549073F-A100-402E-A398-7C50D6B92D7F@microsoft.com...
>
> I would like to add about not using the same external name is it's less
> DNS
> administrative overhead of having to create shadow records internally so
> internal folks can access the external website, assuming it's hosted
> externally. Also a biggy is that internal folks cannot access an
> externally
> hosted site using the URL without the 'www' portion because that record
> get
> registered by each DC in a domain. There are ways around it, but the truth
> of the matter comes back to the additional administrative overhead.
>
> As for a single domain, that's as secure as it's going to get even
> compared
> to having an empty root. Just keep control of your admin and admin rights.
>
> Ace
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> SharePoint Video Library Template Available For Download
> http://www.eggheadcafe.com/tutorials/aspnet/223c6e57-f81f-44 b3-ab05-5995f2b0ab63/sharepoint-video-library.aspx
Re: Randy [message #412187 is a reply to message #412146] Mon, 15 March 2010 08:20 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message news:ukjGB1DxKHA.4552@TK2MSFTNGP04.phx.gbl...

Paul,

I completely agree. If Sankar read through the thread, my comments are embedded regarding this mindset was from the early Windows 2000 days and no longer followed nor recommended for any sort of security benefits, other than a namespace benefit (if that).

Sankar, please read my comments in this thread (below in this post). After reading through it, describe your scenario such as how many users, locations, delegation requirements, have you acquired any companies and migrated them in, etc, to help. But all in all, as Paul said, any AD design is soley based on your company. There is no such thing as a cookie cutter design.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

> There is no longer the recommended scenario to create an empty forest root.
> You should describe what you want to provide for your company and someone
> within this forum should be able to give you a starting point, but you will
> have to do some work for this yourself. You know your compnay much better
> than anyone else.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> <Sankar Ganesh> wrote in message
> news:201031581524a.sankarmcse@googlemail.com...
>> Hi Rand,
>>
>> Have you completed your project. Because right now i am having same
>> scenario.. if you completed this project can you guide me to implement by
>> providing domain structure.
>>
>> I need to sumbit the proposal to the management.
>>
>> thank you very much in advance
>>
>> shankar
>>
>>
>>
>> Randy Jackson wrote:
>>
>> Place holder root domain advantage
>> 05-Aug-08
>>
>> I've been struggling with a domain design to choose. I've always read that
>> it is best practice design to create an empty place holder root domain to
>> hold the enterprise admin group and to hold the forest schema operations
>> role. Then have another domain to hold all users/groups/computers. The
>> alternative being one domain, that holds all of the above.
>>
>> There is obviously additional hardware costs associated with the empty
>> place
>> holder domain, but there isn't going to be much administrative overhead
>> since the domain is going to me basically unused.
>>
>> What are the underlying reasons why the place holder root domain is setup
>> and should this domain design be favored in a large enterprise
>> organization
>> vs the single domain model?
>>
>> Thank you.
>>
>> Previous Posts In This Thread:
>>
>> On Tuesday, August 05, 2008 9:36 PM
>> Randy Jackson wrote:
>>
>> Place holder root domain advantage
>> I've been struggling with a domain design to choose. I've always read that
>> it is best practice design to create an empty place holder root domain to
>> hold the enterprise admin group and to hold the forest schema operations
>> role. Then have another domain to hold all users/groups/computers. The
>> alternative being one domain, that holds all of the above.
>>
>> There is obviously additional hardware costs associated with the empty
>> place
>> holder domain, but there isn't going to be much administrative overhead
>> since the domain is going to me basically unused.
>>
>> What are the underlying reasons why the place holder root domain is setup
>> and should this domain design be favored in a large enterprise
>> organization
>> vs the single domain model?
>>
>> Thank you.
>>
>> On Wednesday, August 06, 2008 12:50 AM
>> Ace Fekay [MVP Directory Services] wrote:
>>
>> Re: Place holder root domain advantage
>> "Randy Jackson" <jacksors@yahoo.com> wrote in message
>> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>>
>> You've stated the basic reasons. A place holder for the tree, offering a
>> contiguous namespace, as well as hiding the EA and Schema Admins.
>>
>> In the past, back in the early 2000 days, it was the basic thinking to use
>> an empty root. However, the design mentality of an empty root has changed
>> with increased features and changes in 2003 security, or basically because
>> of budget. So the most common designs are simply one domain unless you
>> need
>> across the pond or business partner migrated domains in a decentralized
>> delegation. Keep in mind, you can protect a single domain design by
>> keeping
>> everyone else out of the Domain Admins group and use OU or specific
>> delegation.
>>
>> I remember at one point when arguing about having an empty root or just
>> one
>> domain, that as a child domain admin, I was able to access certain parts
>> of
>> the containers using ADSI Edit and could have done damage for the forest.
>> So
>> why bother with the empty root? But like I said, security has changed.
>>
>> I remember you posted before about Exchange design concerns, but not sure
>> if
>> we discussed number of users and Sites, or other specifics for a directory
>> service. How many users? Sites?
>>
>> --
>> --
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
>> MVP Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> For urgent issues, you may want to contact Microsoft PSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Infinite Diversities in Infinite Combinations
>>
>> On Wednesday, August 06, 2008 8:47 AM
>> Paul Bergson [MVP-DS] wrote:
>>
>> This is no longer a recommended strategy.
>> This is no longer a recommended strategy. Microsoft now recommends to
>> keep
>> it as simple as possible with as few domains as your enterprise can use.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Randy Jackson" <jacksors@yahoo.com> wrote in message
>> news:O9fddT29IHA.4004@TK2MSFTNGP03.phx.gbl...
>>
>> On Wednesday, August 06, 2008 8:57 AM
>> jacksor wrote:
>>
>> Thank you Ace, that information is very helpful.
>> Thank you Ace, that information is very helpful.
>>
>> We are presently planning our migration strategy to seperate from our
>> parent
>> company and form our own independent company.
>>
>> We will be implementing Windows 2008 ADDS and migrating over approximately
>> 800 user accounts and 900 Exchange mailboxes. I believe the present
>> environment is Windows 2003 AD (running in 2000 native mode) with Exchange
>> 2003. We will be forming 3 AD sites. One site will be for our corporate
>> office location, one for our data center facility located offsite, and one
>> for regional offices in another part of the country. We at present do not
>> have any international presence but that it is very likely we will. I've
>> been
>> questioning whether we need to have seperate sites for our data center and
>> corporate office, but they will be seperated by a WAN link, I think for
>> replication purposes and making sure users hit a DC on the subnet at
>> corporate before trying to hit one at the data center we should have
>> seperate
>> sites defined.
>>
>> With this fairly simple break out and small number of users (we are
>> expecting to almost double our size in about 2 yrs) would a single model
>> domain make the most sense?
>>
>> If a user was a domain admin in this model, what prevents them from
>> modifying attributes that can effect the whole forest rather than just the
>> domain? This domain would hold the forest schema, would domain admins have
>> access to make changes to that or only Enterprise Admins?
>>
>> Thanks for your advice.
>>
>> "Ace Fekay [MVP Directory Services]" wrote:
>>
>> On Wednesday, August 06, 2008 9:18 AM
>> jacksor wrote:
>>
>> Thanks Paul. What AD version prompted this best practice change?
>> Thanks Paul. What AD version prompted this best practice change?
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>> On Wednesday, August 06, 2008 12:17 PM
>> Paul Bergson [MVP-DS] wrote:
>>
>> If I recall correctly it started with the release of AD (2000).
>> If I recall correctly it started with the release of AD (2000).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:8E3E3EA0-B153-42EF-A814-1FFCD6D713AF@microsoft.com...
>>
>> On Thursday, August 07, 2008 10:14 PM
>> jacksor wrote:
>>
>> Paul,I have a follow up question.
>> Paul,
>>
>> I have a follow up question. Old best practice said to not use your
>> routeable internet domain name as the domain for your forest root domain.
>> Is
>> that still a best practice or do to enhanced security does that no longer
>> matter as well?
>>
>> Thanks.
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>> On Friday, August 08, 2008 8:47 AM
>> Paul Bergson [MVP-DS] wrote:
>>
>> That is the recommend course strategy, but to be honest we don't follow
>> that.
>> That is the recommend course strategy, but to be honest we don't follow
>> that. I don't know if it was security related or just the fact you need
>> to
>> be able to manage dns and not expose your internal boxes ip addresses,
>> which
>> we do both.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:18547956-7C98-47CB-8982-22440B57271D@microsoft.com...
>>
>> On Friday, August 08, 2008 10:19 AM
>> jacksor wrote:
>>
>> Everything I've read, at least for older AD installations, that a domain
>> admin
>> Everything I've read, at least for older AD installations, that a domain
>> admin in a single forest root domain model, could gain enterprise admin
>> permissions and modify the schema and cause forest wide damage. I was
>> hoping
>> to avoid that security issue. Is that scenario even possible in AD 2008?
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>> On Friday, August 08, 2008 11:59 AM
>> Paul Bergson [MVP-DS] wrote:
>>
>> Any admin in a forest, if smart enough can work to gain permissions to
>> become
>> Any admin in a forest, if smart enough can work to gain permissions to
>> become an enterprise admin. Security boundaries are between forests.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:39F1A95A-605F-4135-854D-A05979434BA1@microsoft.com...
>>
>> On Friday, August 08, 2008 2:52 PM
>> jacksor wrote:
>>
>> Re: Place holder root domain advantage
>> Thank you for the info.
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>> On Saturday, August 09, 2008 12:29 AM
>> Ace Fekay [MVP Directory Services] wrote:
>>
>> Re: Place holder root domain advantage
>> "jacksors" <jacksors@discussions.microsoft.com> wrote in message
>> news:B549073F-A100-402E-A398-7C50D6B92D7F@microsoft.com...
>>
>> I would like to add about not using the same external name is it's less
>> DNS
>> administrative overhead of having to create shadow records internally so
>> internal folks can access the external website, assuming it's hosted
>> externally. Also a biggy is that internal folks cannot access an
>> externally
>> hosted site using the URL without the 'www' portion because that record
>> get
>> registered by each DC in a domain. There are ways around it, but the truth
>> of the matter comes back to the additional administrative overhead.
>>
>> As for a single domain, that's as secure as it's going to get even
>> compared
>> to having an empty root. Just keep control of your admin and admin rights.
>>
>> Ace
>>
>>
>> Submitted via EggHeadCafe - Software Developer Portal of Choice
>> SharePoint Video Library Template Available For Download
>> http://www.eggheadcafe.com/tutorials/aspnet/223c6e57-f81f-44 b3-ab05-5995f2b0ab63/sharepoint-video-library.aspx
>
>
Thank you for your respsones [message #412854 is a reply to message #412187] Tue, 16 March 2010 04:52 Go to previous messageGo to next message
Sankar Ganesh  is currently offline Sankar Ganesh  United States
Messages: 2
Registered: March 2010
Junior Member
Firstly my thanks to Mr.Paul and Mr.Ace. (to be honest i didnt expected so quick response :):):))

Ok Here i would like to give small overview about current strcuture and future expected plan. this is for my customer

Current scenario:

Right now they have 5 sites(branches) (A, B, C, D, E) and each has its own forest. Site A is having 2 child domains respectively for 2 more branch offices. each sites are interconnected with Trust relationship. (windows 2003) The total number of users are nearly 1600

The funniest and strange thing is Site is having 300 active users and 750 Secuirty groups. And there are more 350 Group policy setting. The same scenario will apply to all the branches.

And another big issues is Each site administrator is having differnt opinion, which is really blocking any further implementation. So Customer decided to move everythig to one centralized locatoin (in DC) and they approached us. Now i am proposing 3 domain scenarios. theyare *which also tells about future plan

Scenario 1:

Mutli-Domain Forest:

<Root Doamin> for ex: Root.com

Root.com-->

A.Root.com, B.Root.com, C.Root.com like that each seperate domains for each branch office.


Scenario 2:

Single Domain Forest:

Root.com

And the branches will be clasifed by OU and each branch will have Either ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)

Scenario 3:

Single Domain forest with emtpy root domain

Empty.com

Root.Empty.com (which will contain all resources)

And the branches will be clasifed by OU and each branch will have Either ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)

Sorry for too long data.. guide me with you suggestion

The WAN connectivity will not be a bottleneck since each branches connected with 100mbps MPLS Cloud.

My only concern about where to PUT file servers and DHCP servers and other Application servers. We are also finding solution for Centralizing Citrix servers so Printing solution will be taken care by Citrix (I hope).











Ace Fekay [MVP-DS, MCT] wrote:

Paul,I completely agree.
15-Mar-10

Paul,

I completely agree. If Sankar read through the thread, my comments are =
embedded regarding this mindset was from the early Windows 2000 days and =
no longer followed nor recommended for any sort of security benefits, =
other than a namespace benefit (if that).

Sankar, please read my comments in this thread (below in this post). =
After reading through it, describe your scenario such as how many =
users, locations, delegation requirements, have you acquired any =
companies and migrated them in, etc, to help. But all in all, as Paul =
said, any AD design is soley based on your company. There is no such =
thing as a cookie cutter design.

--=20
Ace

This posting is provided "AS-IS" with no warranties or guarantees and =
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit =
among responding engineers, and to help others benefit from your =
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, =
please contact Microsoft PSS directly. Please check =
http://support.microsoft.com for regional support phone numbers.

root.=20
someone=20
will=20
better=20
This
implement by=20
that
domain to
operations
The
empty=20
overhead
setup

Previous Posts In This Thread:


Submitted via EggHeadCafe - Software Developer Portal of Choice
BizTalk Custom Pipeline for Splitting Messages
http://www.eggheadcafe.com/tutorials/aspnet/a0786aaf-c159-40 ff-9cf6-241d5e325f42/biztalk-custom-pipeline-f.aspx
Re: Thank you for your respsones [message #412893 is a reply to message #412854] Tue, 16 March 2010 06:29 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I will tell you the most difficult piece you will experience is the
political acceptance of the new topology. Unclear as to why there are so
many different forests, but you will have to get the support from the head
of the corporation to get this done. People will do whatever it takes (From
my experience) to not lose control of what they already have.

My suggestion:
Deploy a Windows 2008 or Windows 2008 R2 single domain forest. You have
plenty of bandwidth, so you should be able to use Active Directory
Iintegrated dns and each site should be able to host their own dhcp server.

With a single domain model, you should be able to deploy dc's at each site
and delegate the local administer control over an OU of their branch. If
they have seperate password policies, with 2008 or 2008 R2, you can leverage
Fine Grained Password Policies so that should help with that argument as
well. I would STRONGLY urge you to not let any of the remote sites be a
domain or forest admin. I would even consider using Read Only DC's at the
remote sites if you can't get the dc's in a safe and secure location. With
Group Policy you should be able to reign in some of the policies it sounds
like are currently being used. not sure how many policies you have but with
350 settings that has to be 10+ policies and I'm guessing it is probably
closer to 50. At 4 meg per policy and if you have 50 gpo's that is 200 meg
being shipped around in templates alone. GPO's in 2008 get control of the
template issue and if you have a Microsoft Software Assurance (SA)agreement
you can use the Advanced Group Policy Management for gpo change management.
With SA you also can use Application Virtualization (APP-V), something you
should look at if you ae having Citrix issues. We have almost eliminated
terminal services with APP-V within our organization and there is zero
license cost to use it.

Hope this helps. Feel free to ask more questions as you need to and the
best of luck.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
<Sankar Ganesh> wrote in message
news:201031665222a.sankarmcse@googlemail.com...
> Firstly my thanks to Mr.Paul and Mr.Ace. (to be honest i didnt expected so
> quick response :):):))
>
> Ok Here i would like to give small overview about current strcuture and
> future expected plan. this is for my customer
>
> Current scenario:
>
> Right now they have 5 sites(branches) (A, B, C, D, E) and each has its own
> forest. Site A is having 2 child domains respectively for 2 more branch
> offices. each sites are interconnected with Trust relationship. (windows
> 2003) The total number of users are nearly 1600
>
> The funniest and strange thing is Site is having 300 active users and 750
> Secuirty groups. And there are more 350 Group policy setting. The same
> scenario will apply to all the branches.
>
> And another big issues is Each site administrator is having differnt
> opinion, which is really blocking any further implementation. So Customer
> decided to move everythig to one centralized locatoin (in DC) and they
> approached us. Now i am proposing 3 domain scenarios. theyare *which also
> tells about future plan
>
> Scenario 1:
>
> Mutli-Domain Forest:
>
> <Root Doamin> for ex: Root.com
>
> Root.com-->
>
> A.Root.com, B.Root.com, C.Root.com like that each seperate domains for
> each branch office.
>
>
> Scenario 2:
>
> Single Domain Forest:
>
> Root.com
>
> And the branches will be clasifed by OU and each branch will have Either
> ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)
>
> Scenario 3:
>
> Single Domain forest with emtpy root domain
>
> Empty.com
>
> Root.Empty.com (which will contain all resources)
>
> And the branches will be clasifed by OU and each branch will have Either
> ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)
>
> Sorry for too long data.. guide me with you suggestion
>
> The WAN connectivity will not be a bottleneck since each branches
> connected with 100mbps MPLS Cloud.
>
> My only concern about where to PUT file servers and DHCP servers and other
> Application servers. We are also finding solution for Centralizing Citrix
> servers so Printing solution will be taken care by Citrix (I hope).
>
>
>
>
>
>
>
>
>
>
>
> Ace Fekay [MVP-DS, MCT] wrote:
>
> Paul,I completely agree.
> 15-Mar-10
>
> Paul,
>
> I completely agree. If Sankar read through the thread, my comments are =
> embedded regarding this mindset was from the early Windows 2000 days and =
> no longer followed nor recommended for any sort of security benefits, =
> other than a namespace benefit (if that).
>
> Sankar, please read my comments in this thread (below in this post). =
> After reading through it, describe your scenario such as how many =
> users, locations, delegation requirements, have you acquired any =
> companies and migrated them in, etc, to help. But all in all, as Paul =
> said, any AD design is soley based on your company. There is no such =
> thing as a cookie cutter design.
>
> --=20
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and =
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit =
> among responding engineers, and to help others benefit from your =
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, =
> please contact Microsoft PSS directly. Please check =
> http://support.microsoft.com for regional support phone numbers.
>
> root.=20
> someone=20
> will=20
> better=20
> This
> implement by=20
> that
> domain to
> operations
> The
> empty=20
> overhead
> setup
>
> Previous Posts In This Thread:
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> BizTalk Custom Pipeline for Splitting Messages
> http://www.eggheadcafe.com/tutorials/aspnet/a0786aaf-c159-40 ff-9cf6-241d5e325f42/biztalk-custom-pipeline-f.aspx
Re: Place holder root domain advantage [message #456192 is a reply to message #412893] Wed, 02 June 2010 11:29 Go to previous message
melry88  is currently offline melry88  United States
Messages: 2
Registered: June 2010
Junior Member
Everyone,

I just wanted to add that this is still a highly recommended path from
Microsoft. I read above in other posts that it was not so I started to
read the Windows 2008 AD Resource Kit. The resource kits states that
if you are using a forest with multiple domains that it is "strongly"
recommended to also use an empty root. This is listed on page 215 under
"Best Practices".

I am not trying to start a flaming war, but I wanted to make sure other
readers fully understand Microsoft's approach to this.

Thanks....


--
melry88
------------------------------------------------------------ ------------
melry88's Profile: http://forums.techarena.in/members/227726.htm
View this thread: http://forums.techarena.in/active-directory/1015394.htm

http://forums.techarena.in
Previous Topic:domain trusts setup, how to sync WINS?
Next Topic:2008 R2 DC and Older cryptography algorithms
Goto Forum:
  


Current Time: Tue Jan 23 16:39:42 MST 2018

Total time taken to generate the page: 0.10679 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software