Single forest vs multiple forest


S

Steve

Okay, racking my brain over this one on pro's and con's
for both ways.

Question:
Need to create a new domain (production) that will be
housed at a data center. This system is a simple eight
server system (IIS, SQL, DC's - no clients) for web
application.
Would it be better to create this "domain" as a seperate
forest or as a tree in our existing forest?


Currently have a single forest (root domain of
abc.company.com) and it has two child domains
(staging.abc.company.com and development.abc.company.com).

Reason for incorporating into current forest:
Administration

Reason for creating as new forest:
Security (Domain and Entriprise admin group new)
Reliability - what would happen if root domain DC's of
abc.company.com (say our office flooded) failed. If in
own forest no longer issue
Autonomy from rest of company

Thanks in advance
BTW - I'm leaning toward own forest but everything I keep
reading on best practices says there are very few
instances you want to do something like this.
 
Ad

Advertisements

S

Simon Geary

Reason for creating as new forest:
Security (Domain and Entriprise admin group new)
This should be irrelevant. Your Domain and Enterprise admin accounts should
be properly secured no matter how many domains or forests you have.
Reliability - what would happen if root domain DC's of
abc.company.com (say our office flooded) failed. If in
own forest no longer issue
Again, this is not a good design reason to have a seperate forest. Disaster
mitigation should be covered by a robust backup and restore procedure, not
by creating new forests.
Autonomy from rest of company
This is one of the few good reasons to have a separate forest. (Assuming of
course that you want these servers to be autonomous)


You say the new servers will be at a data centre, will the bandwidth be
affected much by AD replication? If you have a slow pipe maybe a separate
forest would be useful to cut down on WAN costs for unnecessary replication
traffic.
Will the security or Kerberos requirements be different for the new servers
than from the rest of the network? if so, a new forest will be required.
Will you be able to create a VPN tunnel between your network and the data
centre to allow all the ports required for AD replication? If not, or if
it's too expensive, a dedicated forest might help.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top