Two AD W2K3 Design Questions

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

1. What are the REAL reasons for using an empty root domain? I get all kinds
of answers but really would like to now hard facts.

2. Are there a reason to partition an AD in one domain per country? E.g.
from som GPO policys etc or could everything (except password complexity) be
set on OUs instead?

Thanks for your input.

/Peter
 
One is to protect EA and SA accounts and have different password policies,
but in my opinion you can easily gain EA rights from child domain due to
SIDHistory exploit. Beside this you need two aditional DC's (at least) to
support empty root domain.

Use more domains, if you have different password policies requirements, as
this is per domain basis. You can rather implement one domain with sites as
you can have GPO's on sites.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
You were thinking of ?

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

School Design for AD 14
Win2k3 AD OU/GPO Design Discussion 1
AD design question? 6
AD Design Help..needed.. 3
AD Design question 1
AD design question....again 4
GPO not applied - migration from ldap to AD 4
AD organizational design 1

Back
Top