Additional DC's for new domain or NOT

[Sabir Ahmedi]

Hi all,
I have a domain setup with a very lax password policy. As I understand it
the only way to have a different more stricter policy is to have a new
domain policy and hence an additional domain.

1) Is it worth it to have a new domain just for the sole purpose of having
differing password policies? I mean all the additional complexity that
comes with a new domain. Is there another way to do this w/o an additional
domain?

2) Can my current 2 dc's host the other domain also or would I need
additional DC's to do what I need to do?

Thanks,
Sabir.

 

[Chriss3]

Hi Sabir, One of the reasons for creating a child domain is if a different
password policy is needed. But if this only applies to a few users and
because people are lazy and not want to type strong passwords this is not an
option by my advice. What is the goal here?

You need at least two DCs, since a Domain Controller only can host one
domain at once.

 

[Sabir Ahmedi]

Thanks Chris.
Actually we have a lab environment where the passwords are for generic
accounts. They are not complex and are set not to expire, and this is what
the domain policy specifies.

But for the rest of my domain I dont want such a lax policy but something
stronger.
Thats the basic goal and I dont want to have to create another domain for
such a goal.
ANy way out of this?

Sabir.

 

[Chriss3]

Sabir. Password Policy are domain wide, but password no expiries can be set
for each account for administrators and service accounts if you wish.