No announcement yet.

one forest/one domain vs multiple forest/one domain

  • Filter
  • Time
  • Show
Clear All
new posts

  • one forest/one domain vs multiple forest/one domain

    hey all,

    I post but I have be guest for 4 years or so. Thank you for all the help docs/tips!

    I have a question that needs to be answered.

    My company since I joined, has been single forest for each site and its own domain, worked out very good. Each site has 200+ workstations and 20+ servers, no data is replicated to home office other than email, email is not exchange.

    There is now policy change to make the company one forest/one domain and each site being an OU. I know some admins would feel like they are losing "domain admin" but I was curious how everyone else is setup? There is now shareportal being implemented so SSO is important but could not I just trust home office and SSO would work for those users who use shareportal?

    My concern is I have to trust the other sites that no rogue admin or such. If this setup is done, one forest/one domain then each site would have dc that holds all users accounts? If site OU admin hacked the dc could they not get the passwords to all users? Site would have dns server that would have forward zones to all other sites, would not a dns-aware worm be able to cross vpns to infect other sites?

    Am I being paranoid? Since each site applications do not replicate and no exchange then would not keeping the model of multiple forest and one domain make most sense?

    Thanks in advance!

    decoy boy

  • #2
    Re: one forest/one domain vs multiple forest/one domain

    Well you could always delegate OU admins. Make sure they can only unlock, create, edit users in their own OU. Give them only as much administration power as they need.

    Do they really need to restart the servers? And if you don't trust them then why are they working for the company anyways? I mean, in all honesty, you could go rogue. Anyone could.

    If it's one forest/one domain then all accounts are held by all DC's.

    Don't you're DNS servers forward DNS information to each other now anyways? I mean, that's how they get their authentication information for AD.
    Last edited by stamandster; 30th May 2009, 01:14.
    GoogleFu is strong with this one ^