Forest Trusts

[johangir]

Hi All

I'm setting up an Upstream WSUS server to service over 3,500 downstream servers each in it's own AD Forest. To setup Authentication I need to create trusts with each Forest. 3,500+ is alot of trusts to setup on one machine - does anyone know what the maximum number of trusts a w2k3 server can support (Standard/Enterprise)?

Thanks for your time

Joh

 

[MITPRO]

There is no limit but you have to consider the physical aspects of the server handling the loads.

Availability of service and data isolation or autonomy in an Active Directory domain depends not only on the administrator of that domain and forest administrators, but also on other domain administrators within a forest.

When designing your forest, keep in mind that administrative independence has a cost and that you must carefully consider the tradeoff between autonomy or isolation versus interoperation and collaboration.

When i speak about autonomy and isolatio, i mean this:

Service autonomy: Provides the ability to independently manage and manipulate the schema and configuration containers. The need for this level of control is usually driven by organizational structure or operational requirements. For example, one division of a company wants to install directory-enabled applications that extend the schema without depending on approval by the central Information Technology (IT) department.

Service isolation: Provides the assurance that no administrator outside the organization can interfere with the operation of the directory service. The need for this level of control is usually driven by legal or operational requirements. For example, suppose a hosting company needs to place domain controllers on a customer’s premises. If a breach of domain controller security can affect service delivery in the rest of the forest, that customer’s operations can be separated into its own forest to better protect other clients of the directory service.

Data isolation: Provides the assurance that no service administrators outside of a limited scope of administrators can control or view any subset of data on a domain controller or on member computers joined to the forest. The need for this level of control is usually based on a legal requirement. For example, a financial institution might be required by law to limit access to data that belongs to clients in a particular jurisdiction to the users, computers, and administrators in that jurisdiction.

Think this through a little further, but there is no limit.



Do not pray to have an easier life, pray to be a stronger man!!!

B.S. Computer Information Systems
Masters of Information Technology in Network Security
CompTIA A+, Net+, Security+
MCSE: Security

MCITP: Exchange Server 2007 (Pending)
MCITP: Server 2008 (Pending)
MCTS: Windows Vista (Pending)