2003 planning for county government and public safety

Discussion in 'Windows Networking' started by =?Utf-8?B?cHVibGljc2FmZXR5SVRBZG1pbg==?=, Apr 12, 2005.

  1. I'm looking for anyone who may have some advice or may have had experience
    with this type of situation in the local governmetn/public safety sector.

    We are currently working to develop and migrate from NT to 2003 server and
    exchange. The actual migration part of this is not a problem however the
    question of what is the best way to setup the network has become an issue.
    We have two IT groups, one for the county gov and one for public safety, each
    at their respective locations. The question has come down to does it make
    more sense to create an AD structure with a county gov as the only domain and
    all other departments, including public safety(which includes dispatching,
    fire, EMS, Emergency management, 24/7 operation) as OU's or would it be
    beneficial for the public safety division to be another/separate domain
    within the AD structure??? Currently the two sides manage their own servers,
    exchange, network and have minimal interaction with the exception of email.

    Any thoughts, ideas, suggestions, feedback...etc are greatly appreciated.

    Thanks...
     
    =?Utf-8?B?cHVibGljc2FmZXR5SVRBZG1pbg==?=, Apr 12, 2005
    #1
    1. Advertisements

  2. I don't envy you. My limited experience with state and local government IT
    suggests that this is more likely to be a politcal/cultural/psychological
    than an pure AD administration decision. Most likely each IT group views
    the other as under worked and overpaid. If you try to marry them in one
    domain, it will be viewed as a job threatening consolidation move. My
    advice is to give them separate domains in the same forest - let the County
    Commissioners and the Sheriff fight it out if there is strong pressure for a
    unified IT Department. Probably Public Safety has enough unique security
    issues to justify the two domain configuration anyway. Probably they'd
    prefer separate forests as well.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Apr 12, 2005
    #2
    1. Advertisements

  3. Doug...you are pretty much right on the money with your analogy. Thank you
    for your feedback. Can you think of any pros/cons (besides obvious control)
    of going with the separate domains rather than as an OU? It has been my
    belief to go with single forest with two domains off the root from the start,
    however I have come to a roadblock when it comes to getting concrete reasons
    through to the otherside of the fence. Any additional feedback would be
    great or could take this offline...
     
    =?Utf-8?B?cHVibGljc2FmZXR5SVRBZG1pbg==?=, Apr 12, 2005
    #3
  4. The big pro for separate domains is that they provide a security boundary
    for certain policies which must be configured on a domain-wide basis:

    "Account policies and Public Key policies have domain-wide scope and are set
    at the domain GPO level. All other policies can be specified at the level of
    the organizational unit. Some policies that can be applied only at the
    domain container level include:

    Password policy. Determines the rules, such
    as password length, that must be met when a user sets a password.

    Account lockout policy. Defines rules for intruder detection and account
    deactivation.

    Kerberosticket policy. Determines the lifetime of a Kerberos ticket. A
    Kerberos ticket is obtained during the logon process and is used for network
    authentication. A particular ticket is only valid for the lifetime specified
    in the policy."


    http://www.microsoft.com/technet/pr...Ref/90875adc-51b8-4ae6-92a0-78821d45bcc7.mspx

    Public safety agencies/departments may need to access state and federal
    databases which increasingly insist upon security requirements which may not
    be practical or desireable for the county domain.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Apr 13, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.