Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reasons to have own forest for dept.

Status
Not open for further replies.
chosen1

chosen1

MIS
Sep 16, 2002
69
0
0
US
I work in a small department of an worldwide company. The networks are all on NT4. 75% of the NT domains are managed by the data center.

My department's network is a single flat NT4 domain with a one way trust relationship with our data center for exchange services. We are self sufficient and run like a small company without the bureacracy of the datacenter. We manage cash flow and trading. When there is a problem, we get it done quickly/effectively.

The company is in the early stages of migrating to AD from NT4.0

The data center's AD plan is to setup one forest for the whole company. This forest would envelop all the current NT4 domains throughout the company worldwide under their umbrella. Making it easier for them to admin over.

However I don't have much confidence in their direction. In their first migration meeting they were more concerned with applications being impacted by AD. I felt they should have attempted to understand the existing NT4 domains and trust layout. They are too ambitious and overconfident.
Seems like they want to not just overhaul the whole network layout but also operational procedures.


I fear there maybe a security risk by going the data center's direction. They say my users will have the ability to log on to any company PC overseas and get their stuff.
I think this a huge risk as I have no users that travel overseas and I don't want any potential hacker accessing our network as we have sensitive data. I do not like the idea of any kind of my network information whether its data, or computer names being replicated overseas. Also the idea that big brother data center would know the admin password have admin rights over my dept's network doesn't sit well either.

Also I worry that our operational procedures will be impacted (i.e. If my current LAN admins need to call someone in the data center and cut a ticket to add a replacement Traders PC to the domain , this is time we can't lose)

I do not know much about AD so feel free to comment.
I want to see if I can present a valid business/technical case to request that my NT domain becomes its own forest with a trust to the bigger data center forest for Exchange services.

I would like to hear if anyone has any ideas on the advantages of having my own forest vs being under an OU under the single forest.

Thanks for reading.
 
Sort by date Sort by votes
Single Forest, Multiple Domains


"Single forest vs. multiple forests

A single forest environment is ideal for most small to medium-sized companies. Single forest environments are easy to manage. But larger companies often need each office or each department to be able to have full administrative capabilities over its own users and computers. In such environments, there is often a high degree of distrust between these various groups. In a situation like this, interconnected forests are ideal because they give each group total autonomy.

At the same time, even though the administrative burden is distributed, such a model usually has a much higher administrative burden than a single forest environment, which results in higher administrative costs to the company as a whole. My point is that, in a Windows Server 2003 AD environment, there is a trade-off between cost and security."




 
Upvote 0 Downvote
The end result for optimum workings so you see the least impact to your operational workings is for them to create a large forest with smalleer OU's for the individual offices that have their own systems admins like yours. They would then delegate responibility for this OU to the local admins. This would cover both your needs - their need for centralised control and your need for localised administration.

Switching over to AD is not as bad as you think. The advantages of AD over the domain structures far outweigh any negatives. It's simpler to manage and far easier for base security polices to be designed centrally and customised locally.

As an example, I've implemented an AD with central control but I need to have certain areas with tighter control. I created a base security policy which was sufficient for the general populace. I then added tighter controls to the policy for certain servers, added more control for some web servers and completely locked down some machines that were to be use for contrator usage.

Get yourself a good book on AD architecture and your fears will go away. The most important thing is for you to get local delegated authority over your OU.
 
Upvote 0 Downvote
This is more a political decision than a technical one. You basically want to have as few forests as possible from a technical point of view.

If you don't trust the other admins though then you have no choice but to create a second forest as domains aren't security boundaries - of course you might have difficulty justifying it on a trust basis if you're one big company.

As Castor66 mentions, the admin side is easy enough to set up with delegation so you don't need to have a central admin involved when joining PCs to a domain or creating new users etc.

If you want a different name space you'll need your own domain within the forest.

It's not clear how big your environment is but if it is big with a lot of NT4 domains then you're right that they seem to be underestimating the migration if they're only concerned about the apps rather than creating a proper AD design.
 
Upvote 0 Downvote
And with 2 forests, you can manually control the trusts you set up between the forests.

If your NT domain becomes a child domain in the same forest as all the rest... there are implicit two way trusts between all domains.
This doesn't necessarily give everyone access to everywhere.. there is NTFS for that.

I do not like the idea of any kind of my network information whether its data, or computer names being replicated overseas. Also the idea that big brother data center would know the admin password have admin rights over my dept's network doesn't sit well either.
Click to expand...

If you have a separate domain, even a child domain within 'their' forest, you won't have that much replication occuring overseas, as long as all your domain controllers are in your site. However, Global catalog replication will contain a subset of your doamin's object's attributes.

If you plan to use or develop specific applications that with modify the schema, this along with the confidentiality / security aspect it the best way to get them to let you have a separate forest.
Afterwards, trusts can be set up according to needs, and they could still have some form of admin control (to be negociated, like NickFerrar says, this seems more political than enything else!!)

Aftertaf
__________________
squiggle squiggle
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
103
gbaughma
gbaughma
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
90
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
109
microsGuy16
microsGuy16
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
133
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
90
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top