In my environment, does a new Forest makes more sense ?

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some more.

Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.

The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?
1 answer Last reply
More about environment forest makes sense
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:eCcYeWIMFHA.3320@TK2MSFTNGP15.phx.gbl...
    > This is a school district environment,
    > 3,000 staff accounts
    > 15,000 student accounts
    >
    > Students can't handle to change passwords very often. Staff is doing
    alright
    > with existing security policies, and I am planning to tight them some
    more.

    Sounds like a separate DOMAIN (not forest) based
    on the above...

    > Question is this:
    > If I setup a child domain for students, that would give the two-way trust
    > relantioship and that's simple to set up.

    Yes. Sharing resources would be easier than
    with a separate forest.

    > That said I thought I could take advantage of forest trust in Win2003. I
    > mean, if in the future I provide printers and servers dedicated for the
    > students, I think I could set a one-way trust relantioship where
    > "STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
    > still access student resources safely.

    If you know you wish to share resources it almost
    certainly should be the same forest.

    Very few people need separate forests.

    The two classic reasons for separate forests are:

    1) Different Schemas

    2) Complete autonomy (separation of control/administration)

    > The problem is that I have heard people saying that I should go with
    domains
    > instead of separate forests. Anyone there has any negative experience with
    > FOREST management in Win2003 ?

    No, but if you are going to use the same schema and
    are going to share resources anyway then it doesn't
    make sense to have separate forests in most cases.

    How many sets of admins? One set of admins pretty
    much seals the issue for a single forest.

    If it were separate companies (enterprises, etc.) or
    the multiple sets of admins wanted complete separation
    of control then two forests might make sense.
Ask a new question

Read More

Active Directory Windows