Poll: How is your AD structured?

+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Windows Server 2008 R2 Thread, How do you structure your AD? in Technical; Hi all, We're just weighing up a few options and wanted to gauge others opinions regarding Active Directory structure. We ...
  1. #1

    Join Date
    Aug 2013
    Posts
    31
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    How do you structure your AD?

    Hi all,

    We're just weighing up a few options and wanted to gauge others opinions regarding Active Directory structure. We currently have two forests for staff/students with an interforest trust. This causes some problems with LDAP integrated applications which can only access one LDAP server. Naturally we could try and negate this with an LDAP proxy, but for the sake of balance, I wanted to create a poll to see how others are structuring their Active Directory.

    If you wish to add any further feedback, please comment in the thread as well as voting in the poll.


    Thanks in advance,
    Karl
    Last edited by aceonbass; 16th August 2013 at 02:54 PM.

  2. #2

    Join Date
    Aug 2013
    Posts
    31
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain? I can understand the ease of administration but are there not any security flaws with this set up?
    Last edited by aceonbass; 16th August 2013 at 02:54 PM.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,486
    Thank Post
    10
    Thanked 502 Times in 442 Posts
    Rep Power
    114
    Quote Originally Posted by aceonbass View Post
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain. I can understand the ease of administration but are there not any security flaws with this set up?
    Not when passwords are on post-its and staff logon for students with disabled accounts. Sometimes it's actually easier to secure due to the visibility of permissions without having to remember any trusts etc.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,817
    Thank Post
    231
    Thanked 889 Times in 764 Posts
    Rep Power
    301
    why split it across domains surely teachers use pupil pcs and vice versa?
    i can just about see a reason to split userfils across servers (apart from storage spacw) bot across domains what does it gain apart from more stuff to manage and more points of failure?

  5. #5
    rocknrollstar's Avatar
    Join Date
    Jun 2008
    Location
    Hampshire
    Posts
    435
    Thank Post
    387
    Thanked 28 Times in 24 Posts
    Rep Power
    21
    Beauty in simplicity.

  6. #6

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    We used to have 2 forests back when RM set things up (before my time), this was a pain and as you said some LDAP Apps don't like the trusts, we migrated to a single forest and domain not long after i started.

    All ours users live under the same Root OU with Staff and Student OU's under that, it makes things very simple when applying group policies that everyone need.
    Our Students also have a different email domain to staff.

  7. #7

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,747
    Thank Post
    312
    Thanked 359 Times in 220 Posts
    Rep Power
    148
    I can see the OP's logic with splitting the domains, but it seems analogous to the old curriculum/admin network model in that it's generally thought too unwieldy for modern use. However, a workable scenario in which a compromise in security on the pupil side does not affect operations on the other, be it "all staff" or simply "admin staff", would certainly be very interesting to hear more about.

    However, as long as you have trusts, the infrastructures are never truly separate and, having observed a security breach that arose from inappropriately-configured trust permissions (first rule of endpoint security: never assume there hasn't been a cock-up upstream), I would imagine the benefits to security are less than might be expected as you have only made something harder to achieve, not impossible.

  8. #8
    FishCustard's Avatar
    Join Date
    Feb 2013
    Location
    Croydon
    Posts
    426
    Thank Post
    74
    Thanked 43 Times in 39 Posts
    Rep Power
    19
    I've never seen anyone able to come up with any specific examples of security problems that would reliably be prevented by having split domains. And yet I can think of many examples of headaches such a set-up would cause.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    342
    Multiple domains does generally double your workload in my experience. A single properly configured domain with the appropriate permissions is the way forward.

    However having a single domain over multiple WAN links for a cluster of schools or businesses does make things complicated. I think you have to draw a line somewhere in terms of ease of management and whether or not a cluster of schools (for example) actually need to be part of a single domain structure, or would be better off with a separate domain per site with/without a trust.
    Last edited by Michael; 18th August 2013 at 11:37 PM.

  10. #10

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,747
    Thank Post
    312
    Thanked 359 Times in 220 Posts
    Rep Power
    148
    Hence the need for a forest - perhaps someone in an Academy Federation can comment on how forests (or in fact trees at this level) have been implemented to simplify administration?

  11. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    342
    Quote Originally Posted by Ephelyon View Post
    Hence the need for a forest - perhaps someone in an Academy Federation can comment on how forests (or in fact trees at this level) have been implemented to simplify administration?
    Generally speaking - the biggest issues I've come across whereby an academy has implemented a single domain across multiple WAN links is replication and people with the same name, which is inevitable if you have a common surname. It's also going to create a lot of web traffic if you have many users changing their passwords or you have many admins creating/modifying GPOs. It all adds up. You also have to take upgrades into consideration. Updating servers acting as DCs from 2008 R2 to 2012 at each site needs to be done correctly, otherwise you could 'bugger' the whole domain.

  12. #12

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 286 Times in 218 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by aceonbass View Post
    Wow, 8 votes for single forest and domain.

    Do you really run staff and students under the same, single domain? I can understand the ease of administration but are there not any security flaws with this set up?
    What security flaws do you believe there would be? Do you have two separate totally isolated networks as well that staff and students use? If not, then whatever additional security you think you have with using two domains does not really exist. If anything, it would create a false sense of security I fear and lead to security lapses in other areas on the network.

  13. #13

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,254
    Thank Post
    604
    Thanked 1,107 Times in 849 Posts
    Blog Entries
    15
    Rep Power
    488
    For the reasons above, I couldn't see a reason to use multiple forests or domains these days with exception to where business requirements or the facilities differ - for instance, if a nursery attached to a school is financed/ran separately but physically connected and sharing a system perhaps, if that were to help with data requirements. Naturally it'd also be a different case for WAN connected schools (academy chains being a popular example) - I would hope that should such a chain wish to connect in that manner, it would be via a parent and child domain setup where the local school had full control over the child domain, ensuring that should the WAN link separate the school or its adminstrators would have no difficulty in continuing to run their system as required. Synchronisation could, if required, be set to occur a couple of times a day rather than being live.

  14. #14
    salc's Avatar
    Join Date
    Apr 2006
    Location
    Devon
    Posts
    13
    Thank Post
    10
    Thanked 2 Times in 2 Posts
    Rep Power
    18
    Quote Originally Posted by aceonbass View Post
    Do you really run staff and students under the same, single domain?
    We went to single domain 8 1/2 years ago. Much simpler.

  15. #15

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    I believe back when Sims originally came out it was a recommendation that Sims sat in a separate Admin domain to the students.

    The only way I can see have a single Forest would be good in an Academy Federation as mentioned above, Having 1 forest but say each secondary school having its own domain.

    Having 2 forests and then multiple domains doesn't make sense personally in my head.

    But I have also have a client spread all over the south east at 10 sites using a single domain and DFS replicating user data back to the HQ for backing up. A common data folder is then replicated between all sites.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. How do you create your AD users?
    By HodgeHi in forum Coding
    Replies: 15
    Last Post: 31st July 2012, 12:16 AM
  2. [SIMS] How do you export SIMS users into AD?
    By mcnallyfc in forum MIS Systems
    Replies: 16
    Last Post: 5th November 2010, 05:59 PM
  3. Replies: 2
    Last Post: 18th May 2010, 03:46 PM
  4. How do you filter AD users and computers...
    By kennysarmy in forum Windows
    Replies: 3
    Last Post: 29th September 2008, 01:51 PM
  5. Replies: 1
    Last Post: 14th August 2008, 07:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •