Forest, Domain, OU design question

[Chris Hall]

Good evening,

I'm preparing for exam 70-217 and while I realize this is not a Cert forum,
I find this forum a much better resource to LEARN versus pass a test. With
that in mind, we have a rather small implementation of AD in our shop and I
have questions on some design principles. From what I've learned thus far, a
new forest should be created if company abc where to acquire company 123 and
they wanted separate schemas or keep administration separate. Domains are
used also to separate or decentralize administration or to establish
separate security polices. OUs are used to delegate authority.

I realize there's no one set way to design an AD structure, but if someone
can give me some pointers from the 'field', I'd appreciate it.

Chris

 

[Herb Martin]

Good evening,

I'm preparing for exam 70-217 and while I realize this is not a Cert forum,
I find this forum a much better resource to LEARN versus pass a test. With
that in mind, we have a rather small implementation of AD in our shop and I
have questions on some design principles. From what I've learned thus far, a
new forest should be created if company abc where to acquire company 123 and
they wanted separate schemas or keep administration separate.

Two primary reasons for multiple forests:

1) Separate Schemas
2) Complete 'autonomy' (i.e., separtion of control)

Domains are
used also to separate or decentralize administration or to establish
separate security polices. OUs are used to delegate authority.

Domains are REQUIRED for "diffferent security
ACCOUNT policies" (not just 'security policies')
although sloppiness is possible on any particular
question.

Security Account policies = kerberos, password, lockout

Domains may be required/desired if you need "complete
control" of resources, mirroring NT domain structures
(more likely temporary), and for either/both "massive
number of objects" and to "control replication" in WANS.

Generally massive is really a LOT (upwards of 100K and
maybe a million) and WANS work fine in the same domain
in almost all cases since Sites generally do a good job
of controlling replication.

BUT as the number of objects goes up and the WAN
bandwidth (available) goes down there are special
cases that require multiple domains.

Also if SMTP replication is required so is a separate
domain (SMTP require it.)

Generally, OUs though will allow for delegation of
control.

In fact the two primary reasons for creating OUs are:

1) Delegation of control

2) Linking Group Policy

I realize there's no one set way to design an AD structure, but if someone
can give me some pointers from the 'field', I'd appreciate it.

Actually those principle (and a couple more--not many)
cover 99% of cases.)

 

[Chris Hall]

Herb,

Thanks for the words of wisdom.

and far,

Two primary reasons for multiple forests:

1) Separate Schemas
2) Complete 'autonomy' (i.e., separtion of control)


Domains are REQUIRED for "diffferent security
ACCOUNT policies" (not just 'security policies')
although sloppiness is possible on any particular
question.

Security Account policies = kerberos, password, lockout

Domains may be required/desired if you need "complete
control" of resources, mirroring NT domain structures
(more likely temporary), and for either/both "massive
number of objects" and to "control replication" in WANS.

Generally massive is really a LOT (upwards of 100K and
maybe a million) and WANS work fine in the same domain
in almost all cases since Sites generally do a good job
of controlling replication.

BUT as the number of objects goes up and the WAN
bandwidth (available) goes down there are special
cases that require multiple domains.

Also if SMTP replication is required so is a separate
domain (SMTP require it.)

Generally, OUs though will allow for delegation of
control.

In fact the two primary reasons for creating OUs are:

1) Delegation of control

2) Linking Group Policy


Actually those principle (and a couple more--not many)
cover 99% of cases.)

 

[C Hall]

Herb,

I passed the exam today, however was certainly surprised. It seemed that the
exam was more focused on GPO, NT 4 DNS situations and RIS then any real
situations regarding AD design. There were a couple of questions, but not
that many.

 

[ptwilliams]

That's 'cause 70-217 is administering AD; AD design is 70-219 ;-)

I was going to mention there's not much on design issues - just a bit on DC/
GC placement...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Herb,

I passed the exam today, however was certainly surprised. It seemed that the
exam was more focused on GPO, NT 4 DNS situations and RIS then any real
situations regarding AD design. There were a couple of questions, but not
that many.

 

[C Hall]

Ah! That would explain it, huh?

That's 'cause 70-217 is administering AD; AD design is 70-219 ;-)

I was going to mention there's not much on design issues - just a bit on DC/
GC placement...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Herb,

I passed the exam today, however was certainly surprised. It seemed that the
exam was more focused on GPO, NT 4 DNS situations and RIS then any real
situations regarding AD design. There were a couple of questions, but not
that many.

 

[Herb Martin]

Usually exams will follow the OUTLINE
from the MCP site pretty closely but they
may not include all of the areas merely
stay within them.

Also, if two people take the same tests
they may see a different emphasis.

Good job on the exam. Are you registered
for Design?

You should register today and take it within
a week.

(I always take these two on the same day unless
it is a Beta where I have no choice.)

 

[C Hall]

I had looked at the exam outline, but it was a while ago...I used an Exam
Cram book, and Mission Critical Windows 2000 Server Administration to
prepare. I also used a Transcender test. The Transcender test was supposed
to be for 70-217, but looking at it now from a different perspective, it is
more geared to the 219 test.

Thanks for the encouragement. As I work in the Banking industry, I'm
planning on focusing on security, so I'm planning on taking 220, 214, and
Security+ to round things out. By the time I'm finished (hopefully by the
end of June), I'll be MCSA, MCSE:Security, Security+. A lot of work between
now and then, but well worth it.

 

[Herb Martin]

I had looked at the exam outline, but it was a while ago...

I strongly recommend (always) using the outline
as you initial study notes, adding to them as you
learn more.

I used an Exam
Cram book, and Mission Critical Windows 2000 Server Administration to
prepare. I also used a Transcender test. The Transcender test was supposed
to be for 70-217, but looking at it now from a different perspective, it is
more geared to the 219 test.

Never "study from" a practice test -- is it fine
to use them to find your weak points but then you
should reference them against the outlines and the
actual product help/knowledge base.

Thanks for the encouragement. As I work in the Banking industry, I'm
planning on focusing on security, so I'm planning on taking 220, 214, and
Security+ to round things out. By the time I'm finished (hopefully by the
end of June), I'll be MCSA, MCSE:Security, Security+. A lot of work between
now and then, but well worth it.

Good -- keep learning. Let me know if I can help
more.