chrisdodds
Weaksauce
- Joined
- Nov 11, 2005
- Messages
- 71
I have an Active Directory design quandary that I'd like some input on.
I recently started working for a PC manufacturing company at one of their remote sites. The current AD topology is a single forest with a single root domain.
We are hoping to resolve some political "sharing" issues with the HQ IT staff and achieve some autonomy while maintaining single-sign-on access to domain resources and not creating a beast of complexity. We'd like to be able to manage our own user accounts and internal resources without having to request every single network/AD change we want to make from the main office. They don't really like helping us, and we don't like asking them for help, but oh well. I've been researching a couple of options.
Option 1. is to create a new child domain in the existing AD forest.
Option 2. is to create a second forest with trust relationship to the first forest.
A new child domain is the easiest of the two, but I'm not sure if it will give us the separation that we are wanting. Am I correct in thinking that a member of the "Administrators" group on the child domain will only be able to function as a domain admin within the child domain and not the root domain?(this is what we are wanting)
Forest to Forest resource sharing is not something I've dealt with a lot. I know what it involves for the most-part as far as configuration goes, but I've not implemented it before. I've only dealt with it where it already existed. This option seems like it would provide for better separation, but would make resource sharing a lot more complex to configure. I'm trying to follow the KISS principle so I'm veering away from this option right now. Does anyone have any experience with doing this, and if so, any common issues?
Any input would be great. Thanks in advance.
I recently started working for a PC manufacturing company at one of their remote sites. The current AD topology is a single forest with a single root domain.
We are hoping to resolve some political "sharing" issues with the HQ IT staff and achieve some autonomy while maintaining single-sign-on access to domain resources and not creating a beast of complexity. We'd like to be able to manage our own user accounts and internal resources without having to request every single network/AD change we want to make from the main office. They don't really like helping us, and we don't like asking them for help, but oh well. I've been researching a couple of options.
Option 1. is to create a new child domain in the existing AD forest.
Option 2. is to create a second forest with trust relationship to the first forest.
A new child domain is the easiest of the two, but I'm not sure if it will give us the separation that we are wanting. Am I correct in thinking that a member of the "Administrators" group on the child domain will only be able to function as a domain admin within the child domain and not the root domain?(this is what we are wanting)
Forest to Forest resource sharing is not something I've dealt with a lot. I know what it involves for the most-part as far as configuration goes, but I've not implemented it before. I've only dealt with it where it already existed. This option seems like it would provide for better separation, but would make resource sharing a lot more complex to configure. I'm trying to follow the KISS principle so I'm veering away from this option right now. Does anyone have any experience with doing this, and if so, any common issues?
Any input would be great. Thanks in advance.