Multi domain VS new child domain

Sys Admin
Sys Admin used Ask the Experts™

I need to create a new domain solution to support developer environments. Actually, the support of the actual domain (root domain) is managed externally from other company and they works very slow... the manager of developers needs to change that dependency to guarantee the fast deployment of new virtual machines (domain joined), creation of new users or groups andthe independent definition of GPO rules.

The identified requirements are:
- Maintain the atual Forest and Domain Functional Level (Windows Server 2008 R2)
- Independent / Autonomy management on the 2 domains (the atual company manage the root domain and other IT admins manage the new domain)
- “Domain admins” of the actual domain doesn’t have access to new domain or vice versa.
- Use the atual user login (atualdomain\user) to access the environment of the new domain.

The possibilities are:

- Creation of a new independent domain (newdomain) and  a trust relationship with atual domain.
- Creation of a new child domain in the atual forest.

I need to represent this 2 possibilities in 2 tables, like this example:

> Multi domain

Disadvantages   |Advantages
1 - a            |1 - a
2 - b            |2 - b
3 - ...            |3 - ...

> Child domain

Disadvantages   |Advantages
1 - a            |1 - a
2 - b            |2 - b
3 - ...      |3 - ...

Can you help me in that scenario?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Engineer
In general, most of the requirements can be better set by properly delegating rights. That is generally the best option. You can get delegated access to create OU, create users, create computers, create groups, create GPO, and manage all of those items. This can be done in the existing domain.

Creating a child domain or a new forest will require new domain controllers, among other things. Trusts will need to be managed. It's more complicated.

A child domain is not a REAL security boundary. Domain/enterprise admins from the parent domain can always seize control of the child domain. If that is a strict requirement, only the separate forest is a solution. Given that you still trust the people managing your production domain to manage your production domain, I don't see the issue that they can cause mischief in the development environment to be a concern, as they already have access to most critical assets.
kevinhsiehNetwork Engineer

Best answer in lieu of author response or other experts

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial