Single forest vs multiple forest

S

Steve

Okay, racking my brain over this one on pro's and con's
for both ways.

Question:
Need to create a new domain (production) that will be
housed at a data center. This system is a simple eight
server system (IIS, SQL, DC's - no clients) for web
application.
Would it be better to create this "domain" as a seperate
forest or as a tree in our existing forest?


Currently have a single forest (root domain of
abc.company.com) and it has two child domains
(staging.abc.company.com and development.abc.company.com).

Reason for incorporating into current forest:
Administration

Reason for creating as new forest:
Security (Domain and Entriprise admin group new)
Reliability - what would happen if root domain DC's of
abc.company.com (say our office flooded) failed. If in
own forest no longer issue
Autonomy from rest of company

Thanks in advance
BTW - I'm leaning toward own forest but everything I keep
reading on best practices says there are very few
instances you want to do something like this.
 
S

Simon Geary

Reason for creating as new forest:
Security (Domain and Entriprise admin group new)
Click to expand...

This should be irrelevant. Your Domain and Enterprise admin accounts should
be properly secured no matter how many domains or forests you have.
Reliability - what would happen if root domain DC's of
abc.company.com (say our office flooded) failed. If in
own forest no longer issue
Click to expand...

Again, this is not a good design reason to have a seperate forest. Disaster
mitigation should be covered by a robust backup and restore procedure, not
by creating new forests.
Autonomy from rest of company
Click to expand...

This is one of the few good reasons to have a separate forest. (Assuming of
course that you want these servers to be autonomous)


You say the new servers will be at a data centre, will the bandwidth be
affected much by AD replication? If you have a slow pipe maybe a separate
forest would be useful to cut down on WAN costs for unnecessary replication
traffic.
Will the security or Kerberos requirements be different for the new servers
than from the rest of the network? if so, a new forest will be required.
Will you be able to create a VPN tunnel between your network and the data
centre to allow all the ports required for AD replication? If not, or if
it's too expensive, a dedicated forest might help.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is it possible to seperate a tree from an existing forest and build up a new one ? 1
Forest Root Domain Location?? 13
DNS and AD Design question 4
Single or Multiple Domains 3
Cannot find a primary authoritative DNS server for single level domain 3
Problems Loading Large String Array into Array variable 6
OT| The Decline and Fall of the American Empire: Four Scenarios for the End of the American Century 0
The Man Who Spilled the Secrets =haxored 5

Top