Managing Active Directory Forests in the Business Wilderness - Page 3

 By Jacqueline Emigh
Page 3 of 3   |  Back to Page 1
Print Article

More than 1500 users? How about a dedicated root domain?

If your network has more than 1500 users, you should probably use a dedicated root domain, says Marks. The dedicated root domain establishes clear separation between forest owners and other administrators. It also allows for easy transfer of forest ownership.

"By definition, a dedicated root domain has at least one level of child domains," he notes. Generally speaking, it's better practice to use geographic domains than organization domains. Geographic domains typically map well to both IT organizational structures and wide area network (WAN) layouts. Geography is also "relatively unchanging."

Organization domains, on the other hand, should only be used under certain circumstances. "If the company restructures frequently – or if it is subject to merger or acquisition – you might want to use organization domains."

Most often, though, if an organization within an enterprise wants to remain autonomous, it makes more sense to create a separate forest. AD is set up so that "forest owners must trust their domain owners, and domain owners within a forest must trust each other," he says.

More than 100,000 users? Go directly to Windows 2003

For networks of more than 100,000 users, Windows Server 2003 Active Directory is a better choice, in Marks' opinion. Early users of Windows 2003 AD include, for instance, Enterasys Networks; Det Norske Veritas (DNV), a Norwegian-based risk management services provider; and JR East Japan Information Systems Company, a subsidiary of East Japan Railroad Company

Windows 2003 AD brings a number of improvements in management, deployment, security, performance, and dependability, according to Microsoft officials. Examples include cross-forest authentication; cross-forest authorization; Microsoft Group Policy Management Console (MGPMC), for managing all Group Policy-related tasks; and Active Directory/Application Mode (AD/AM), a feature addressing application-related deployment scenarios.

Active Directory deployment is no trivial matter, on either the technical or business side. The setup of AD forests and domains needs to dovetail with business needs. Sound and thorough planning is absolutely essential.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Sep 29, 2003
Get the Latest Scoop with Networking Update Newsletter