The big pro for separate domains is that they provide a security boundary
for certain policies which must be configured on a domain-wide basis:
"Account policies and Public Key policies have domain-wide scope and are set
at the domain GPO level. All other policies can be specified at the level of
the organizational unit. Some policies that can be applied only at the
domain container level include:
Password policy. Determines the rules, such
as password length, that must be met when a user sets a password.
Account lockout policy. Defines rules for intruder detection and account
deactivation.
Kerberosticket policy. Determines the lifetime of a Kerberos ticket. A
Kerberos ticket is obtained during the logon process and is used for network
authentication. A particular ticket is only valid for the lifetime specified
in the policy."
http://www.microsoft.com/technet/pro...21d45bcc7.mspx
Public safety agencies/departments may need to access state and federal
databases which increasingly insist upon security requirements which may not
be practical or desireable for the county domain.
Doug Sherman
MCSE, MCSA, MCP+I, MVP
"publicsafetyITAdmin" <(E-Mail Removed)> wrote
in message news:57B58980-F10E-4B3D-9336-(E-Mail Removed)...
> Doug...you are pretty much right on the money with your analogy. Thank
you
> for your feedback. Can you think of any pros/cons (besides obvious
control)
> of going with the separate domains rather than as an OU? It has been my
> belief to go with single forest with two domains off the root from the
start,
> however I have come to a roadblock when it comes to getting concrete
reasons
> through to the otherside of the fence. Any additional feedback would be
> great or could take this offline...
>
> "Doug Sherman [MVP]" wrote:
>
> > I don't envy you. My limited experience with state and local government
IT
> > suggests that this is more likely to be a
politcal/cultural/psychological
> > than an pure AD administration decision. Most likely each IT group
views
> > the other as under worked and overpaid. If you try to marry them in one
> > domain, it will be viewed as a job threatening consolidation move. My
> > advice is to give them separate domains in the same forest - let the
County
> > Commissioners and the Sheriff fight it out if there is strong pressure
for a
> > unified IT Department. Probably Public Safety has enough unique
security
> > issues to justify the two domain configuration anyway. Probably they'd
> > prefer separate forests as well.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> > "publicsafetyITAdmin" <(E-Mail Removed)>
wrote
> > in message news:EAAC3F61-E08B-4854-BEF3-(E-Mail Removed)...
> > > I'm looking for anyone who may have some advice or may have had
experience
> > > with this type of situation in the local governmetn/public safety
sector.
> > >
> > > We are currently working to develop and migrate from NT to 2003 server
and
> > > exchange. The actual migration part of this is not a problem however
the
> > > question of what is the best way to setup the network has become an
issue.
> > > We have two IT groups, one for the county gov and one for public
safety,
> > each
> > > at their respective locations. The question has come down to does it
make
> > > more sense to create an AD structure with a county gov as the only
domain
> > and
> > > all other departments, including public safety(which includes
dispatching,
> > > fire, EMS, Emergency management, 24/7 operation) as OU's or would it
be
> > > beneficial for the public safety division to be another/separate
domain
> > > within the AD structure??? Currently the two sides manage their own
> > servers,
> > > exchange, network and have minimal interaction with the exception of
> > email.
> > >
> > > Any thoughts, ideas, suggestions, feedback...etc are greatly
appreciated.
> > >
> > > Thanks...
> >
> >
> >
Similar Threads
Linear Mode
