Why should we go for sub domians???

[Srinivas Acharya]

Hi All,
In windows 2000, I am really confused with word domain.
Domain means single domain tree or sub domain of domain tree.
Is there any advantages of creating subdoamins in the
domain tree?. We can have single domain tree and OUs under
it to organise the resources according to our requirement.
Why should we go for sub domains?.

Regards,
Srinivas Acharya

 

[Tomasz Onyszko]

Hi All,
In windows 2000, I am really confused with word domain.
Domain means single domain tree or sub domain of domain tree.
Is there any advantages of creating subdoamins in the
domain tree?. We can have single domain tree and OUs under
it to organise the resources according to our requirement.
Why should we go for sub domains?.

For example If You need separate password policy between some section in
Your organization, or If You want to avoid replication of all data
between some sites in your network

 

[Nathan]

It depends on how your LAN and company organization are
organized. Look at your "operational policy" when trying
to determine how best to apply the GPO. Each sub will
become it's own entity. Think of this as a "scope". It's
where your focus is applied at the time. You can take
actions on the entire "scope" from one point. This not
only allows for some security policy settings, but also in
general administration.

If you have multiple "child" IT organizations you can
place them inside their own "scope" (sub domain) where
they can add objects, servers, and users all day long, but
can't interfere with any other sub domain because it's out
of their "scope" of vision. However your parent
organization will still be able to make global changes or
changes within the sub domain with ease.

With each sub organization (child IT department, or off-
site location) you can limit the network traffic for those
AD objects, and also reduce the size of the AD database
stored on each server. Reduction of database can help
reduce system requirements too of course.

So hopefully if you look at how your company/organization
is split up by departments, locations and LAN's you can
come up with a useful split in sub domains.

You can achieve some of the same effects through careful
planning of replication, policies and delegation of rights
but things seem easier to manage with sub domains.

 

[Jim Singh]

Sometimes its a more political issue than a logical/technical to establish a
another domain, another tree or a sub domain because some organazational
department want their own domain , maybe for the reasons of password
policies (since they can only be applied at domain level), GPO settings,
different tree becasuse of differnt upn etc.
-Jim

 

[Cary Shultz [A.D. MVP]]

Srinivas,

Compared with WINNT 4.0 there is often no reason to have sub-domains ( aka
child domains ) in WIN2000. As you have discovered, you can make very good
use of Organizational Units for management purposes. A lot of WINNT 4.0
admins have problems with this once they migrate over to WIN2000. You can,
for example, have one company that has a presence in several cities or
countries and still have 'yourcompany.com' instead of
'atlanta.yourcompany.com' and philadelphia.yourcompany.com' and
'portland.yourcomany.com', etc. You simply make use of Active Directory
Sites and Services ( ADSS ). You can simply create an OU for each location
and put all of the user account objects and computer account objects in the
appropriate OU. Or, you can create OUs that fit the way your company does
things. You use OUs for management purposes ( by placing all of the user
account objects in a specific OU and then assigning/linking a GPO to that
OU, for example ).

Having said this, I would be remiss if I did not say that there often are
reasons for having sub-domains. One such reason is a password policy.
Remember that the password policy is domain-wide. If the guys in Finance
want a super secure password requirement that does not make sense for the
rest of the company ( I know! I know! ) the you would create a sub-domain
for the finance department and create the password policy that they want for
the 'finance.yourcompany.com' domain.

Remember that at the top there is the forest. The forest is comprised of
domain trees.

HTH,

Cary