Is "Dedicated Forest Root" Still Recommended?

[eric z]

Hi everyone,

Does anyone know if the "Dedicated Forest Root Domain" is still recommended
by Microsoft?

Thanks in advance.

Eric

 

[Simon Geary]

Yes it is, it affords a little more protection to your Enterprise and Schema
admin groups as any domain admin from the forest root can add members to
these sensitive groups.

This is a good paper on the topic:

http://www.lucent.com/livelink/162027_Whitepaper.pdf

 

[eric z]

This is a pretty old documentation (Year 2000)

And from two MVP's point of view, which are more recently, it has been
changed. See the following:

http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=11610&SearchTerms=dedicated,forest,root
("a dedicated forest root is not necessary in most Cassese")

http://www.windowsforumz.com/-Dedicated-Forest-Root-Domain-ftopict193042.html
("In other words, usually there is no reason for a seperate domain.")

Could any other MVP please provide your comment?

Thanks,

Eric

 

[ptwilliams]

Simon is an MVP ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

This is a pretty old documentation (Year 2000)

And from two MVP's point of view, which are more recently, it has been
changed. See the following:

http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=11610&SearchTerms=dedicated,forest,root
("a dedicated forest root is not necessary in most Cassese")

http://www.windowsforumz.com/-Dedicated-Forest-Root-Domain-ftopict193042.html
("In other words, usually there is no reason for a seperate domain.")

Could any other MVP please provide your comment?

Thanks,

Eric

 

[ptwilliams]

Mind you, no offence Simon, Willem (wkasdo) over on MR&D is one of the
biggest AD guru's in the world ;-)

And...he agreed with me on that post ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Simon is an MVP ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

This is a pretty old documentation (Year 2000)

And from two MVP's point of view, which are more recently, it has been
changed. See the following:

http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=11610&SearchTerms=dedicated,forest,root
("a dedicated forest root is not necessary in most Cassese")

http://www.windowsforumz.com/-Dedicated-Forest-Root-Domain-ftopict193042.html
("In other words, usually there is no reason for a seperate domain.")

Could any other MVP please provide your comment?

Thanks,

Eric

 

[Mark Renoden [MSFT]]

Hi

Here's a link to some recommendations regarding this decision - to go one
way or the other.

http://www.microsoft.com/resources/...003/all/deployguide/en-us/dssbc_logi_abak.asp

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[eric z]

Thanks. I did read this article and knew some of the advantages and
disadvantages of the "Dedicated Forest Root Domain".

What I was trying to find out is if it is still one of the Best Practices or
if it is (highly-)recommended as before because I saw different point of
view now, especially from MVP.

Eric

Hi

Here's a link to some recommendations regarding this decision - to go one
way or the other.

http://www.microsoft.com/resources/...003/all/deployguide/en-us/dssbc_logi_abak.asp

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

This is a pretty old documentation (Year 2000)

And from two MVP's point of view, which are more recently, it has been
changed. See the following:

http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=11610&SearchTerms=dedicated,forest,root
("a dedicated forest root is not necessary in most Cassese")

http://www.windowsforumz.com/-Dedicated-Forest-Root-Domain-ftopict193042.html
("In other words, usually there is no reason for a seperate domain.")

Could any other MVP please provide your comment?

Thanks,

Eric

 

[Simon Geary]

Hmmm, I dunno, I still reckon that a dedicated root has its uses and
wouldn't rule it out.

While it has long been accepted that, (despite the early Microsoft
documentation) the forest is the security boundary and there are methods for
any domain admin in any domain in the forest to fiddle with group
memberships having the dedicated root still offers that extra layer of
security. How many domain admins in child domains actually know how to give
themselves elevated privileges in the root domain?

And don't forget that the root domain is not just about trying to secure
Schema\Enterprise Admin groups, there are the structural benefits that are
offered by both the Lucent paper and Mark's Microsoft link. (eric z, Despite
the Lucent paper being 5 years old, the arguments are still mostly relevant
IMO)

I suppose I would admit that it's not strictly necessary and it does
increase the cost and complexity of your forest but it could definitely be
of use, especially in a global, dynamic or very large implementation where I
might still recommend it. For smaller organisations, the cost of the extra
hardware alone would probably rule it out though.

 

[Mark Renoden [MSFT]]

Hi

As Simon suggests, you should look at what you want to achieve, weigh up the
pros and cons and make the best choice you can. I don't think one blanket
all purpose recommendation exists for much in the world of IT. Sure, there
are best practices and recommendations. There are times when software just
isn't designed to do what you want but a lot of the time it's versatile for
a reason - so you can make decisions that suit your business.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Ryan Hanisco]

Eric,

As everyone has pointed out, there are a lot of cases where having a single
management domain makes a lot of sense. And while I don't speak for
Microsoft, the overarching theme is a bit of Ocam's Razor for the IT
world -- Choose the simplest implementation that meets your needs.

If you are a small company, have unified management of all of your systems,
or don't cross political boundaries, your needs will be very different from
those of a multinational corporation with IT management distributed across
its business units.

As Paul, Simon and Mark have pointed out, there are times where the business
needs dictate this structure and AD is flexible to adapt to these needs.
The real art in the planning is to accurately define the business goals and
needs and let them dictate the design. This is what shows the mark of a
great systems designer.

 

[eric z]

Thanks, eveyone.

Here is my situation:

We are not a small company so we can afford to purchase the HW and SW for
two servers, neither are we a multinational corp which will have a lot of
benefits if use "Dedicated Forest Root Domain".

Reason for no: We have about 3000 machines, including 100+ servers, and
4000+ users in one single NT domain with centralized IT department. Most of
our machines and servers are in one city. Very few machines and users are
out of town but it will NOT be an issue if we choose the main site(s) as the
root domain and choose these branch as Regional Domain. Our admins are
overloaded.

Reason for yes: Our main concern is that we have too many domain admins,
some of whom are not well trained on Windows and some are vendors. We are
in the middle of cleaning up the mess but we are not sure if the result
will come out as we expected.

We are not certain if it is a wise decision to or not to use the "Dedicated
Forest Root Domain" and eager to find out if it is still highly recommended
or is best practice, which will give us a bias on yes.

Thanks,

Eric

 

[Ryan Hanisco]

Eric,

You'll have noticed that everyone is being very cautious about making a real
recommendation as there are a number of side issues involved and other
intricacies involved with your environment that we will not catch from a
newsgroup explanation. Instead, people are trying to give you a handle on
the tools so you can evaluate this appropriately.

To go out on a limb a bit though...

In your circumstance you have an established domain in a relatively large
environment. You don't really have any of the big red flags crying out for
a management domain. Also, the logistics of implementing a management
domain when you are already established are not trivial. This would be a
large project and, while not impossible by any means, probably not worth the
effort.

What you have, though, is a management issue. If you start aggregating
tasks by role and tightening that down you should be able to get a handle on
the Admin issue in just a few months. I know that sounds like a long time,
but it is best to be cautious -- address the big issues immediately but then
really look to restructure your administration with delegations and GPO
controls.

You are at the size where you rally want to pay attention to the MS
recommendations on managing resources with different types of groups. Do
the entire project under the heading of Change Control. Take a look at the
Microsoft Operations Framework and begin the technical and political
implementation of that kind of control. You'll find that your core issue is
not as technical as is it a business issue and Change control is the best
way to get a real handle on it. This will save you in the long run.

Start with these:
MOF Overview --
http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Change Control --
http://www.microsoft.com/technet/itsolutions/cits/mo/smf/smfchgmg.mspx

 

[Joe Richards [MVP]]

It depends entirely on your goals.

There is no good blanket recommendation that works across all deployments.

Personally I like empty roots but then I tend to work on ADs for enterprise
customers holding hundreds of thousands of users across the world which isn't an
area a lot of people work in. In a smaller environment it may not have the same
draw.

joe