Solved

Benefits of multiple domains in a forest

Posted on 2010-11-24
4
1,312 Views
Last Modified: 2012-08-13
Apart from security boundaries (e.g. for Domain Admins), are the benefits of having multiple domains in a forest?

Any benefits in terms of replication (AD and DNS etc)?

And - even for the Domain Admin bit, is this really a benefit?
0
Comment
Question by:kam_uk
  • 2
4 Comments
 
LVL 27

Accepted Solution

by:
KenMcF earned 250 total points
ID: 34209556
The domain is not a security boundry, it is the forest. Domain Admins in the child domains are able to elevate their permissions in the forest.

Depending on what FFL and DDL you are running one benifit is password policies. Starting with 2008 you could create fine granied password policies but before that it was one password polciy per domain without 3rd party apps.

DNS is another one. You could create domain partitions so they will not replicate to all Domain contorllers in the forest.
0
 
LVL 3

Author Comment

by:kam_uk
ID: 34209593
Thanks KenMCF

So lets say I have emea.kam.com, apac.kam.com and us.kam.com

Are you saying that a DA from EMEA can make themself a DA of APAC?

"DNS is another one. You could create domain partitions so they will not replicate to all Domain contorllers in the forest."

- Could you expand on this?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34209622
Yes, there are ways that DA ina  child domain can elevate their permissions like that.


Here is a link that explains DNS application partitions.

http://technet.microsoft.com/en-us/library/cc778236(WS.10).aspx
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 34209840
As Ken said they can make themselves an EA  or DA in another domain (they have to know what they are doing).  There was also a good thread on the TechNet forums about this

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3f8d0e88-7f26-40f9-b3d2-ca4215b63aea

If you see my post there; I "borrowed" a quote from Laura I still like her line "The oops boundary"

Thanks

Mike
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need to set users home page in Microsoft Edge via a GPO 13 31
active directory 1 38
AD RMS - Exchange 2010 3 38
Password change 3 23
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now