Multiple domain forests



I'm still pretty green with AD. Hope I can get consturctive advice here.
I have created a Domain on Advanced server to maintain all my servers. Now
it looks like there is a business need (time synch) to keep all our
department workstations in a Domain. I don't want to add those users into
the same "forest"? as my servers for several reasons. One it will clutter my
existing server user names and computer names. I would very much like to
aviod that.
Here is what I'm thinking based on my knowledge of AD.
1. Create a new forest under the existing domain.
Potential issues:
a) not sure if this is possible.
b) do i need separate hardware, ie w2k box?
2. Create totally new domain.
Potential problems:
a) extra setup work involved with new ad (DNS, etc)
b)definately need a new hardware, ie w2k box

My situation is also complicated by the fact that IT coporate holds access
to DNS servers, proxy, in a nut shell all infrastructure. Due to the load of
work they are unable to investigate AD at this point and given me a green
card to go ahead with all the setup in pilot /test mode.
As mentioned above I also need to keep the time synched between the server
domain and the user domain.

Well what u guys think? Now that i wrote that in sounds like i got some work
to do. :)





Simon Geary

In a good AD design there are some very specific reasons for creating a new
forest or a new domain and it does not sound like you need them. From your
description I would confidently assert that you need neither. You only need
new domains or forests for specific security or business needs.

You do not create forests under domains. The hierarchy runs Forest > Domain,
not vice versa. (Besides, in order to create a new forest you have to also
create a new domain to populate it with.)
Although you could create a child domain under the existing domain, you have
no need for one.

So your problem is that you want workstations to keep in time synch? Joining
them to the existing domain would indeed solve that problem assuming they
are Windows 2000 or XP. To be blunt, keeping your domain neat and tidy is
not an acceptable excuse for not joining workstations to the domain, AD is
there to provide services so make the most of it. As the old joke goes,
networks would run much better if there were no users on it.

I would suggest you create a new OU in your existing domain and join all the
workstations to the domain, then you can group all the new accounts in the
new OU.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question