Sign in with
Sign up | Sign in
Your question

In my environment, does a new Forest makes more sense ?

Tags:
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
March 24, 2005 10:28:19 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some more.

Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.

The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?

More about : environment forest makes sense

Anonymous
March 24, 2005 12:46:41 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:eCcYeWIMFHA.3320@TK2MSFTNGP15.phx.gbl...
> This is a school district environment,
> 3,000 staff accounts
> 15,000 student accounts
>
> Students can't handle to change passwords very often. Staff is doing
alright
> with existing security policies, and I am planning to tight them some
more.

Sounds like a separate DOMAIN (not forest) based
on the above...

> Question is this:
> If I setup a child domain for students, that would give the two-way trust
> relantioship and that's simple to set up.

Yes. Sharing resources would be easier than
with a separate forest.

> That said I thought I could take advantage of forest trust in Win2003. I
> mean, if in the future I provide printers and servers dedicated for the
> students, I think I could set a one-way trust relantioship where
> "STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
> still access student resources safely.

If you know you wish to share resources it almost
certainly should be the same forest.

Very few people need separate forests.

The two classic reasons for separate forests are:

1) Different Schemas

2) Complete autonomy (separation of control/administration)

> The problem is that I have heard people saying that I should go with
domains
> instead of separate forests. Anyone there has any negative experience with
> FOREST management in Win2003 ?

No, but if you are going to use the same schema and
are going to share resources anyway then it doesn't
make sense to have separate forests in most cases.

How many sets of admins? One set of admins pretty
much seals the issue for a single forest.

If it were separate companies (enterprises, etc.) or
the multiple sets of admins wanted complete separation
of control then two forests might make sense.
!