Multi domain VS new child domain

Hi,

I need to create a new domain solution to support developer environments. Actually, the support of the actual domain (root domain) is managed externally from other company and they works very slow... the manager of developers needs to change that dependency to guarantee the fast deployment of new virtual machines (domain joined), creation of new users or groups andthe independent definition of GPO rules.

The identified requirements are:
- Maintain the atual Forest and Domain Functional Level (Windows Server 2008 R2)
- Independent / Autonomy management on the 2 domains (the atual company manage the root domain and other IT admins manage the new domain)
- “Domain admins” of the actual domain doesn’t have access to new domain or vice versa.
- Use the atual user login (atualdomain\user) to access the environment of the new domain.

The possibilities are:

- Creation of a new independent domain (newdomain) and  a trust relationship with atual domain.
- Creation of a new child domain in the atual forest.

I need to represent this 2 possibilities in 2 tables, like this example:

> Multi domain

Disadvantages   |Advantages
1 - a            |1 - a
2 - b            |2 - b
3 - ...            |3 - ...

> Child domain

Disadvantages   |Advantages
1 - a            |1 - a
2 - b            |2 - b
3 - ...      |3 - ...

Can you help me in that scenario?

Thanks.
LVL 1
Sys AdminSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
In general, most of the requirements can be better set by properly delegating rights. That is generally the best option. You can get delegated access to create OU, create users, create computers, create groups, create GPO, and manage all of those items. This can be done in the existing domain.

Creating a child domain or a new forest will require new domain controllers, among other things. Trusts will need to be managed. It's more complicated.

A child domain is not a REAL security boundary. Domain/enterprise admins from the parent domain can always seize control of the child domain. If that is a strict requirement, only the separate forest is a solution. Given that you still trust the people managing your production domain to manage your production domain, I don't see the issue that they can cause mischief in the development environment to be a concern, as they already have access to most critical assets.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevinhsiehCommented:
Best answer in lieu of author response or other experts
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.