Poll: How is your AD structured?

+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Windows Server 2008 R2 Thread, How do you structure your AD? in Technical; Hi all, We're just weighing up a few options and wanted to gauge others opinions regarding Active Directory structure. We ...
  1. #1

    Join Date
    Aug 2013
    Posts
    12
    Thank Post
    3
    Thanked 1 Time in 1 Post
    Rep Power
    0

    How do you structure your AD?

    Hi all,

    We're just weighing up a few options and wanted to gauge others opinions regarding Active Directory structure. We currently have two forests for staff/students with an interforest trust. This causes some problems with LDAP integrated applications which can only access one LDAP server. Naturally we could try and negate this with an LDAP proxy, but for the sake of balance, I wanted to create a poll to see how others are structuring their Active Directory.

    If you wish to add any further feedback, please comment in the thread as well as voting in the poll.


    Thanks in advance,
    Karl
    Last edited by aceonbass; 16th August 2013 at 01:54 PM.

  2. #2

    Join Date
    Aug 2013
    Posts
    12
    Thank Post
    3
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain? I can understand the ease of administration but are there not any security flaws with this set up?
    Last edited by aceonbass; 16th August 2013 at 01:54 PM.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    Quote Originally Posted by aceonbass View Post
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain. I can understand the ease of administration but are there not any security flaws with this set up?
    Not when passwords are on post-its and staff logon for students with disabled accounts. Sometimes it's actually easier to secure due to the visibility of permissions without having to remember any trusts etc.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,210
    Thank Post
    218
    Thanked 812 Times in 694 Posts
    Rep Power
    274
    why split it across domains surely teachers use pupil pcs and vice versa?
    i can just about see a reason to split userfils across servers (apart from storage spacw) bot across domains what does it gain apart from more stuff to manage and more points of failure?

  5. #5
    rocknrollstar's Avatar
    Join Date
    Jun 2008
    Location
    Hampshire
    Posts
    435
    Thank Post
    387
    Thanked 28 Times in 24 Posts
    Rep Power
    19
    Beauty in simplicity.

  6. #6

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    10
    We used to have 2 forests back when RM set things up (before my time), this was a pain and as you said some LDAP Apps don't like the trusts, we migrated to a single forest and domain not long after i started.

    All ours users live under the same Root OU with Staff and Student OU's under that, it makes things very simple when applying group policies that everyone need.
    Our Students also have a different email domain to staff.

  7. #7

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,461
    Thank Post
    230
    Thanked 280 Times in 161 Posts
    Rep Power
    133
    I can see the OP's logic with splitting the domains, but it seems analogous to the old curriculum/admin network model in that it's generally thought too unwieldy for modern use. However, a workable scenario in which a compromise in security on the pupil side does not affect operations on the other, be it "all staff" or simply "admin staff", would certainly be very interesting to hear more about.

    However, as long as you have trusts, the infrastructures are never truly separate and, having observed a security breach that arose from inappropriately-configured trust permissions (first rule of endpoint security: never assume there hasn't been a cock-up upstream), I would imagine the benefits to security are less than might be expected as you have only made something harder to achieve, not impossible.

  8. #8
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    420
    Thank Post
    72
    Thanked 40 Times in 36 Posts
    Rep Power
    17
    I've never seen anyone able to come up with any specific examples of security problems that would reliably be prevented by having split domains. And yet I can think of many examples of headaches such a set-up would cause.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Multiple domains does generally double your workload in my experience. A single properly configured domain with the appropriate permissions is the way forward.

    However having a single domain over multiple WAN links for a cluster of schools or businesses does make things complicated. I think you have to draw a line somewhere in terms of ease of management and whether or not a cluster of schools (for example) actually need to be part of a single domain structure, or would be better off with a separate domain per site with/without a trust.
    Last edited by Michael; 18th August 2013 at 10:37 PM.

  10. #10

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,461
    Thank Post
    230
    Thanked 280 Times in 161 Posts
    Rep Power
    133
    Hence the need for a forest - perhaps someone in an Academy Federation can comment on how forests (or in fact trees at this level) have been implemented to simplify administration?

  11. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Quote Originally Posted by Ephelyon View Post
    Hence the need for a forest - perhaps someone in an Academy Federation can comment on how forests (or in fact trees at this level) have been implemented to simplify administration?
    Generally speaking - the biggest issues I've come across whereby an academy has implemented a single domain across multiple WAN links is replication and people with the same name, which is inevitable if you have a common surname. It's also going to create a lot of web traffic if you have many users changing their passwords or you have many admins creating/modifying GPOs. It all adds up. You also have to take upgrades into consideration. Updating servers acting as DCs from 2008 R2 to 2012 at each site needs to be done correctly, otherwise you could 'bugger' the whole domain.

  12. #12

    seawolf's Avatar
    Join Date
    Jan 2010
    Location
    Melbourne
    Posts
    726
    Thank Post
    7
    Thanked 219 Times in 171 Posts
    Rep Power
    150
    Quote Originally Posted by aceonbass View Post
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain? I can understand the ease of administration but are there not any security flaws with this set up?
    What security flaws do you believe there would be? Do you have two separate totally isolated networks as well that staff and students use? If not, then whatever additional security you think you have with using two domains does not really exist. If anything, it would create a false sense of security I fear and lead to security lapses in other areas on the network.

  13. #13

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,487
    Thank Post
    527
    Thanked 876 Times in 683 Posts
    Blog Entries
    15
    Rep Power
    438
    For the reasons above, I couldn't see a reason to use multiple forests or domains these days with exception to where business requirements or the facilities differ - for instance, if a nursery attached to a school is financed/ran separately but physically connected and sharing a system perhaps, if that were to help with data requirements. Naturally it'd also be a different case for WAN connected schools (academy chains being a popular example) - I would hope that should such a chain wish to connect in that manner, it would be via a parent and child domain setup where the local school had full control over the child domain, ensuring that should the WAN link separate the school or its adminstrators would have no difficulty in continuing to run their system as required. Synchronisation could, if required, be set to occur a couple of times a day rather than being live.

  14. #14
    salc's Avatar
    Join Date
    Apr 2006
    Location
    Devon
    Posts
    11
    Thank Post
    9
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by aceonbass View Post
    Do you really run staff and students under the same, single domain?
    We went to single domain 8 1/2 years ago. Much simpler.

  15. #15

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    I believe back when Sims originally came out it was a recommendation that Sims sat in a separate Admin domain to the students.

    The only way I can see have a single Forest would be good in an Academy Federation as mentioned above, Having 1 forest but say each secondary school having its own domain.

    Having 2 forests and then multiple domains doesn't make sense personally in my head.

    But I have also have a client spread all over the south east at 10 sites using a single domain and DFS replicating user data back to the HQ for backing up. A common data folder is then replicated between all sites.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. How do you create your AD users?
    By HodgeHi in forum Coding
    Replies: 15
    Last Post: 30th July 2012, 11:16 PM
  2. [SIMS] How do you export SIMS users into AD?
    By mcnallyfc in forum MIS Systems
    Replies: 16
    Last Post: 5th November 2010, 04:59 PM
  3. Replies: 2
    Last Post: 18th May 2010, 02:46 PM
  4. How do you filter AD users and computers...
    By kennysarmy in forum Windows
    Replies: 3
    Last Post: 29th September 2008, 12:51 PM
  5. Replies: 1
    Last Post: 14th August 2008, 06:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •