wm48312
asked on
Large corporation single forest with single domain
Hi Experts,
Has anyone ever heard of a large worldwide corporation using a single forest with a single domain? I know that a domain is no longer considered a security boundry so it seems there would be little difference other than replication between that and a single forest with multiple domains. A single domain is attractive as far as administration is concerned. Can anyone give me the pros and cons?
Has anyone ever heard of a large worldwide corporation using a single forest with a single domain? I know that a domain is no longer considered a security boundry so it seems there would be little difference other than replication between that and a single forest with multiple domains. A single domain is attractive as far as administration is concerned. Can anyone give me the pros and cons?
Hello wm48312,
I am actually working on developing an enterprise architecture using a single forest/domain. Due to the lack of systems administrators, I strongly believe that structuring the domain and rolling up sites using subnets and administering them under appropriate OUs is the way to go. Each site will have an RODC with UGMC to alleviate the need to constantly query group membership back the Enterprise. Another big point I stress is the ability to designate a help desk presence using delegation without assigning Domain Admin permissions. Disaster recovery in my opinion for a site is simplified, you do not have to worry about transferring and seizing FSMO / OM roles since the 5 roles belong in one Domain and at the Enterprise. I hope my viewpoint helps you making your decision.
I am actually working on developing an enterprise architecture using a single forest/domain. Due to the lack of systems administrators, I strongly believe that structuring the domain and rolling up sites using subnets and administering them under appropriate OUs is the way to go. Each site will have an RODC with UGMC to alleviate the need to constantly query group membership back the Enterprise. Another big point I stress is the ability to designate a help desk presence using delegation without assigning Domain Admin permissions. Disaster recovery in my opinion for a site is simplified, you do not have to worry about transferring and seizing FSMO / OM roles since the 5 roles belong in one Domain and at the Enterprise. I hope my viewpoint helps you making your decision.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes it is 100k+. Current model is multi forest. All good points so far and many of them are already considered. Certainly a multi forest model must be more secure than a single forest. I guess I should probably mention too that not all forest trust all the other forests. One of my concerns is that some of the countries these servers will be in are not exactly friendly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Most data centers are secure and located in friendly countries, other are less secure only because of their physical location but data is mirrored to another location. It seems to me that an intrusion could gain access to the entire domain where in a multi forest model that would not be possible or at least more difficult.
If you have fast links and can handle the replication it should be ok....and while the forest is the security boundary. I still consider the domain the "ooops boundary".
...full disclosure i stole that from someone at Microsoft.
what is your current model, single forest with multiple domains or multiple forests.
Thanks
Mike