Announcement

Collapse
No announcement yet.

Single Vs Multiple Forests

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Single Vs Multiple Forests

    We are planning to move from Novell to AD and have entered this debate and I would like to know the opinions of people on this forum. I understand the dictum to keep it simple, however once I explain the circumstances I hope to have a clearer answer to single vs multiple (although I think I know the answer)

    We are an independent scientific research organisation with 150 employees (we also have a commercial arm). We have various allegiances and partnerships. One of these is an Academic partnership with an up and coming university for whom we teach undergraduate courses. In no way are we owned by this larger organisation - it is a partnership. The organisation is actually composed of other independent like-minded institutes and colleges with an extremely large geographical spread: the university doesn't actually do any teaching itself but basically coordinates teh teaching activities of all the partners.

    Now in the drive to cut costs 'shared services' are seen as part of the answer - in fact we already share a telephone system where anyone in the partnership is on an internal number (and also very cheap external calls). However there is now the drive to implement AD across the entire partnership, but the proposed plan is not to have separate forests or even domains for each partner, but actually make them only an OU in a single domain\ single forest for the whole partnership, with Domain admin being held at the university's central office.

    I have big problems with this, as an independent organisation I am seriously concerned about loss of independence regarding technical control (although it is proposed we all manage our own OUs at our sites), amongst other things. I also have data protection issues (one of the reasons for moving to AD is better user integration with 3rd party packages such as our HR and finance systems - under this people who are not employees of our organisation would have full access to all our data- a problem I think even if they don't use it). I am also not convinced there is a proper legal framework to effectively manage the network resources of independant entities within the the same domain (let alone forest). Finally , and not least, is that our work here is only 25% devoted to the university: many of our employees actually have little or no role regarding this. There are some shared resources at the university we do need to access and for this we need currently need separate universality accounts: the move to AD was partly to rationalize this.

    IPSEC and server auditing has been offered as an alternative to secure our data, but I think this still offers no protection from potential rogue administrators in an organisation over who we have no control over its employees. It has also been suggested that this is somehow easier to manage that setting up forest trusts (The larger organisation would only need to allow our users access to their resources).

    Comments would be more than welcome !

    Thanks

  • #2
    Re: Single Vs Multiple Forests

    I would also be opposed to a single domain being forced accross multiple independant companies - we had this debate last year when the CEO wanted to merge our network with the sister company over a VPN link. And move all of our servers up there too "because they're better at it than we are". Sure, great idea - move our fileserver off its gigabit link onto a 2Mbps link - can't see any problems with that...

    The proposed solution for us was a single forest with the two companies as child domains of the root domain (which in your case would be run on servers based at the central office). The root domain was purely because... you need a root domain to have child domains - it wasn't going to be "used".

    In my view, a single domain, whether with single or multiple sites) is only appropriate within a single company.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Single Vs Multiple Forests

      It is quite possible to use 1 Active directory Forest and domain and utilize sites.

      in fact if i remember rightly sites are the preferred way to manage remote locations. sites are manageable using Group Policies.

      you can also delegate control over the OU's for each site to certain admins.

      you could implement DFS and some sort of Encryption, Cryptainer is very good software for managing encrypted volumes, you can create an encrypted volume within a share, the down side is you need a small client on each desktop/laptop to mount the volume.

      The decision to use more than 1 forest/domain is a tuff one in your case, i would certainly stay away form trust relationships, you just need to decide how much your going to lock things down, 1 domain/forest can be complicated managing large geographical areas with policies etc.
      MCSE 2003; MCTS Vista; Sec+; CCNA
      Attitude Makes The Difference!
      in other words you got to WANT to do it..

      Comment


      • #4
        Re: Single Vs Multiple Forests

        Originally posted by ikon View Post
        It is quite possible to use 1 Active directory Forest and domain and utilize sites.

        in fact if i remember rightly sites are the preferred way to manage remote locations. sites are manageable using Group Policies.

        you can also delegate control over the OU's for each site to certain admins.

        you could implement DFS and some sort of Encryption, Cryptainer is very good software for managing encrypted volumes, you can create an encrypted volume within a share, the down side is you need a small client on each desktop/laptop to mount the volume.

        The decision to use more than 1 forest/domain is a tuff one in your case, i would certainly stay away form trust relationships, you just need to decide how much your going to lock things down, 1 domain/forest can be complicated managing large geographical areas with policies etc.
        Thanks Ikon, but what you are addressing are technical issues - which I mostly agree on - there wouldn't be any major problems us sitting in a single forest.

        What I am having problems addressing is the much murkier and greyer area of legal and political questions : there may be technical solutions to the problems of Data protection, commercial confidentiality, but I'm not convinced.

        Most of this can be a very subjective (i.e. to we put our entire it infrastructure potentially under the control of a 3rd party) and for us to discuss internally. What I am intersted in here are other's experience and advice.

        Thanks

        Comment


        • #5
          Re: Single Vs Multiple Forests

          Originally posted by gforceindustries View Post
          I would also be opposed to a single domain being forced accross multiple independant companies - we had this debate last year when the CEO wanted to merge our network with the sister company over a VPN link. And move all of our servers up there too "because they're better at it than we are". Sure, great idea - move our fileserver off its gigabit link onto a 2Mbps link - can't see any problems with that...

          The proposed solution for us was a single forest with the two companies as child domains of the root domain (which in your case would be run on servers based at the central office). The root domain was purely because... you need a root domain to have child domains - it wasn't going to be "used".

          In my view, a single domain, whether with single or multiple sites) is only appropriate within a single company.
          We don't let our management anywhere near decisions like that - fortunately I have large amounts of autonomy in IT.

          Your bracketing of the word "used" I think indicative of the way I think about his whole process.

          I wonder if there are any other examples of truly independent entities being served in the same domain and forest ? I am really curious

          Comment


          • #6
            Re: Single Vs Multiple Forests

            What I mean by not being used is that all we would use the root domain for would be as the parent for the child domains. Other than its DCs, it wouldn't have any other servers. Nor would it have any users other than it's Administrator, and no workstations except possibly one management station. All of the users and computers would belong to one of the two domains.

            I should point out that the proposal for a forest with 2 domains was the IT proposal to the CEO's question - he's not that much of an ex-spurt . I should also point out that at the time, there was still the possibility of merging the two companies and us becoming a branch office. As our company name has 50 years of history behind it and we are a market leader though, our management blocked that move - we would have been inheriting the sister company's name, and they really don't have a good reputation these days.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment

            Working...
            X