Setting up the root domain

[mikebach]

Say for example or domain is godzilla.com.Is it best to have our root domain
be godzilla.com, and have our domains fall under that, or put an empty root
domain above it, say godzilla.xyz. We have a guy pushing for the empty root
domain concept, but we feel that will create many headaches/problems. Any
thoughts for or against ?

 

[Dmitry Korolyov [MVP]]

First, godzilla.zya will not be a root domain above godzilla.com.

This is a matter of preference in some way. Empty root domain design adds
some administrative overhead, but provides slightly better security and
clearer separation for forestwide sensitive security principals from all
others. Personally I do prefer empty root design.

 

[Guest]

The concept of an empty root domain is arguable, especially with Windows 2003
Active Directory. I personally think it is pointless, but I built my
company's Active Directory with an empty root.
It doesn't really provide more security. A child domain can be "attacked"
as easily as a single domain forest.
A good reasoning for an empty root in Windows 2000 is that domains cannot
be renamed, in the case that it may be needed for whatever political reasons
(company buyout, etc.). That way you name the "unused" empty root something
very generic, and the resource name can be named something that refelects the
company. If you had to rename the domain later, it would be easier to bring
up a second child with new name and move the resources across the forest than
bringing up a new forest. Since Windows 2003 has the ability to rename
domains, the empty root wouldn't buy you anything in that apsect.

A person did tell me one decent reason to still use an empty root though.
That was if you company is global and use different language vesions of
Windows. It would be best to keep those domains separate. It seemed somewhat
reasonable to me.

Another thing you should consider is can you justify the cost for additional
hardware for domain controllers (2 DC's for each domain is best practice).

This is just several of my thoughts on empty roots.

First, godzilla.zya will not be a root domain above godzilla.com.

This is a matter of preference in some way. Empty root domain design adds
some administrative overhead, but provides slightly better security and
clearer separation for forestwide sensitive security principals from all
others. Personally I do prefer empty root design.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Say for example or domain is godzilla.com.Is it best to have our root
domain
be godzilla.com, and have our domains fall under that, or put an empty
root
domain above it, say godzilla.xyz. We have a guy pushing for the empty
root
domain concept, but we feel that will create many headaches/problems. Any
thoughts for or against ?

 

[Cary Shultz]

I would question why you want multiple domains in the first place. I am
sure that you have very good reasons, but this is a 'mistake' that a lot of
very good WINNT 4.0 people make. If you have multiple physical locations
then you can have one domain but make use of Site in the Active Directory
Sites and Services. Just make sure to make use of IPSec or Site-to-Site
Firewalls ( assuming that you do not have private links between the
locations ).

Assuming that you do have a good reason for multiple domains, an empty root
might be a good idea. It might also be a bad idea. If the sole reason is
for security then the Forest is the true security boundary - not the domain!
The Root Domain holds the Enterprise Admins group. This is a very powerful
group. A really good Domain Admin ( from one of the 'child' domains ) could
make himself a member of that group with ease.

Dmitry and Brandon give some good points.

Ask Joe Richards what he thinks about this....he is The Boss for all things
Active Directory.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

The concept of an empty root domain is arguable, especially with Windows
2003
Active Directory. I personally think it is pointless, but I built my
company's Active Directory with an empty root.
It doesn't really provide more security. A child domain can be "attacked"
as easily as a single domain forest.
A good reasoning for an empty root in Windows 2000 is that domains cannot
be renamed, in the case that it may be needed for whatever political
reasons
(company buyout, etc.). That way you name the "unused" empty root
something
very generic, and the resource name can be named something that refelects
the
company. If you had to rename the domain later, it would be easier to
bring
up a second child with new name and move the resources across the forest
than
bringing up a new forest. Since Windows 2003 has the ability to rename
domains, the empty root wouldn't buy you anything in that apsect.

A person did tell me one decent reason to still use an empty root though.
That was if you company is global and use different language vesions of
Windows. It would be best to keep those domains separate. It seemed
somewhat
reasonable to me.

Another thing you should consider is can you justify the cost for
additional
hardware for domain controllers (2 DC's for each domain is best practice).

This is just several of my thoughts on empty roots.

First, godzilla.zya will not be a root domain above godzilla.com.

This is a matter of preference in some way. Empty root domain design adds
some administrative overhead, but provides slightly better security and
clearer separation for forestwide sensitive security principals from all
others. Personally I do prefer empty root design.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Say for example or domain is godzilla.com.Is it best to have our root
domain
be godzilla.com, and have our domains fall under that, or put an empty
root
domain above it, say godzilla.xyz. We have a guy pushing for the empty
root
domain concept, but we feel that will create many headaches/problems.
Any
thoughts for or against ?