In my environment, does a new Forest makes more sense ?

M

Marlon Brown

This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some more.

Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.

The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?
 
H

Herb Martin

Marlon Brown said:
This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some
Click to expand...
more.

Sounds like a separate DOMAIN (not forest) based
on the above...
Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
Click to expand...

Yes. Sharing resources would be easier than
with a separate forest.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.
Click to expand...

If you know you wish to share resources it almost
certainly should be the same forest.

Very few people need separate forests.

The two classic reasons for separate forests are:

1) Different Schemas

2) Complete autonomy (separation of control/administration)
The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?
Click to expand...

No, but if you are going to use the same schema and
are going to share resources anyway then it doesn't
make sense to have separate forests in most cases.

How many sets of admins? One set of admins pretty
much seals the issue for a single forest.

If it were separate companies (enterprises, etc.) or
the multiple sets of admins wanted complete separation
of control then two forests might make sense.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Two forest (win2003) and access to printer resources 3
WIn2003 Trust betwee domains, same forest is possible ? 4
Is 'security' provided by AD trusts worthless ? 5
Multi forest and Citrix farm 1
Further question regarding transitive nature of forest trusts 2
Workload when moving accounts to a new domain 1
Trust between 2000 and 2003 domain 19
how to establish an inter-forest trust 8

Top