Poll: One Domain or Two?!

Be advised that this is a public poll: other users can see the choice(s) you selected.

+ Post New Thread
Page 3 of 3 FirstFirst 123
Results 31 to 42 of 42
Windows Thread, One Domain or Two? in Technical; Agreed, but I don’t call 600pc's + over a 1,000 users a 'small' organisation. As much as I hate M$ ...
  1. #31
    ChrisP's Avatar
    Join Date
    Apr 2007
    Location
    norfolk
    Posts
    150
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    17

    Re: One Domain or Two?

    Agreed, but I don’t call 600pc's + over a 1,000 users a 'small' organisation.
    As much as I hate M$ the exams are aimed to reinforce best practices and the solutions most secondary’s implement are most definitely enterprise level.

    You can quite legitimately have a need for two (or more) security realms and only a dozen users in each, it doesn’t have to be a multiple site setup at all.

    [align=center]- SECURITY REALMS -
    That’s the point I was trying to make.
    [/align]

    I’m not saying that two/three/four domains are better than one, that would be evaluated at the design level.

    It’s just when people say you ONLY need one domain I can’t stop the little voice inside of me that starts screaming, THAT’S JUST NOT RIGHT. I cant help feeling what these people actually mean ‘I used to have two NT4 domain in the old days, now I only have one. Isn’t it great”


    ^^^ Please don’t read that as a confrontational post, it's not. I'm just trying to state the security principles behind our setup, we are an inner city school with our share of ’challenging’ students, We also share our plot of land with one of the biggest universities in the area (paranoia mode cuts in when a group of computer science students with laptops start pointing at the wifi aerials lol.)

  2. #32
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    608
    Thank Post
    53
    Thanked 12 Times in 12 Posts
    Rep Power
    23

    Re: One Domain or Two?

    Quote Originally Posted by webman
    BKGarry: There must be a better way. None of our staff need local admin rights for SIMS.
    He's almost right. SIMS 'can' work if the users are local Power Users, but you have to give them full control to a lot of local folders to work and even then it is hit and miss. Local Admin is the easiest way to do it :cry:

  3. #33

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,889 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614

    Re: One Domain or Two?

    You could always look at it that a single domain is as securable and usable as 2 NT4 domains on the same physical LAN.

    You could even say that for most institutes a single domain is prefectly acceptable with minimal security risks as long as some good practice is remembered (rules on password complexity / length / age as well as the use of elevated user accounts instead of always logging in as administrator to do everything!)

  4. #34
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35

    Re: One Domain or Two?

    But why have one domain when two is actually better.

    You can isolate SIMS and have greater flexibility with domain level security (password policies).

    If you have a single domain and it goes kaput, then that's your whole school system down for as long as it takes to fix it.

    The only argument that I've heard is that a single domain is 'easier' to manage or maintain. Why? Management is all done through ADUC or GPMC which can easily switch between domains.

  5. #35
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    365
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    26

    Re: One Domain or Two?

    You can isolate SIMS and have greater flexibility with domain level security (password policies).
    You can set password Security/GPO at an OU level as well domain ?


    If you have a single domain and it goes kaput, then that's your whole school system down for as long as it takes to fix it.
    By having two domain controllers in a single domain you provide more resilience for that single domain, so if a single DC fails it is no big issue?

    I guess it personal choice, but I think putting more money into a single domain instead of spreading it accross 2, gives our school a more resilient and secure system.

  6. #36

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,521
    Thank Post
    1,532
    Thanked 2,639 Times in 1,827 Posts
    Rep Power
    814

    Re: One Domain or Two?

    Two domains here
    Actually completely unrelated, as the council maintain the admin side (I am not allowed to touch it) and the curriculum side is all mine.
    Some local schools seem to be integrating theirs into one, and the next authority along has just announced that it will no longer be supporting the admin network so they are going to have to move to one domain. What they do, eventually we do as well, so I expect one domain will come to me soon.
    If I have to support the admin side, with all that entails, I shall want more hours and more money!!

  7. #37
    thom's Avatar
    Join Date
    Jul 2005
    Location
    Bedford, East Anglia, UK
    Posts
    242
    Thank Post
    4
    Thanked 6 Times in 5 Posts
    Rep Power
    21

    Re: One Domain or Two?

    Over Easter we merged our Admin and Curriculum domains with great success.

    It has helped the teachers to share their information/resources with each other as well as introducing the concept of "file security" to our secretaries.

    Our domains were previously not connected to eachother as the council blocked the trust so managing these was very complicated.

    Like monkeyx said, we can now put more money into making our single domain more ressilient

    P.S. We transferred 100 users and 60 PCs from admin to the existing curriculum domain already containing 1100 users and 450 devices

  8. #38

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,584
    Thank Post
    59
    Thanked 371 Times in 287 Posts
    Blog Entries
    7
    Rep Power
    134

    Re: One Domain or Two?

    Quote Originally Posted by monkeyx
    You can set password Security/GPO at an OU level as well domain ?
    No. As I understand it, password policies are not user settings, they're machine settings. The users don't authenticate against the local machine, they authenticate against the DC. The DC holds the password policy and therefore you can only have one password policy per domain. You can't get round this restriction unless you use third party software.

    Quote Originally Posted by monkeyx
    By having two domain controllers in a single domain you provide more resilience for that single domain, so if a single DC fails it is no big issue?
    Depends on the DC that fails. If it holds the FSMO roles, you're pretty buggered until you can get them transferred. Still, at least you'd have another DC to transfer them to.

    Quote Originally Posted by monkeyx
    I guess it personal choice, but I think putting more money into a single domain instead of spreading it accross 2, gives our school a more resilient and secure system.
    I'm inclined to agree. It's also a damn site less work

  9. #39

    broc's Avatar
    Join Date
    Jan 2006
    Location
    England
    Posts
    2,046
    Thank Post
    104
    Thanked 401 Times in 265 Posts
    Rep Power
    151

    Re: One Domain or Two?

    We had two domains each with its own DC, and when SIMS Lesson Monitor was introduced we had a trust relationship between the two so that teaching staff logging onto the Curriculum domain could access SIMS resources on Admin. Our SMT & admin staff could log onto both domains, frequently did, and frequently lost track of where they had stored data, which passwords to use on which domain etc etc. Sharing resources between teaching staff & SMT was a problem because SMT often stored them on admin drives not accessible from curriculum, or complained when they had to log off from admin to access curriculum. As the school employed more and more support staff with greater dependancies on both admin & curriculum access things got progressively worse.

    It became apparent that in our environment a single domain with two DCs and SIMS on a dedicated server would better suit our way of working. It has been like that for almost three years now.

    I think the choice of 1 or 2 domains depends upon how you want to work and what best suits your end-users. Both have advantages & disadvantages, just make an informed decision

  10. #40
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35

    Re: One Domain or Two?

    Issues relating to saving things on drives that are not accessible to other users are nothing whatsoever to do with how many domains you have, they are simply to do with configuration or having more one server.

    As long as the domains trust each other (implicit when the domains are in the same forest), rights can be assigned to users and groups from either forest, so the issue is really where the files are located, not who can be made to access them.

    There is nothing to stop users who have accounts on an 'admin' domain having access to folders on a server in the 'curric' domain and vice versa.

    As regards to resilience, it's easy enough these days to run a virtual DC as an additional domain controller to provide resiliency. How about this scenario for a small site;

    2 servers (call them A and C)
    - Server A is the DC for the admin domain
    - Server C is the DC for the curric domain

    Install VMWare server on both servers
    Install a virtual server on each server and make it an additional DC for the other domain (eg Server A hosts a VM which is a DC for the curric domain)

    That way you get 2 servers, 2 domains and resilience.

    I agree with broc about 'making an informed decision', but lots of people seem to think that 2 domains make it harder to share information and that is simply not the case.

    EDIT: As regards to logon issues, if both domains are in the same forest, then the 'user principal name' can be used, so that users don't have to worry about which domain they are logging on to. The UPN is unique throughout the forest.

  11. #41
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    35

    Re: One Domain or Two?

    I should perhaps make it clear that I support a lot of primary schools. It's rather difficult enforcing a secure password policy on primary school teachers.

    ..and primary school kids as well of course

  12. #42
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    365
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    26

    Re: One Domain or Two?

    I know that Longhorn is likely to allow multiple password policies.

    I am also aware of this article , but have never actually tried to test what it is suggesting.

    Would be interested to know if it works though May try and give it a whirl on our test server.



SHARE:
+ Post New Thread
Page 3 of 3 FirstFirst 123

Similar Threads

  1. WOL Whole Domain
    By RobFuller in forum Windows
    Replies: 6
    Last Post: 4th June 2010, 11:25 AM
  2. Replies: 3
    Last Post: 10th April 2007, 09:40 AM
  3. 1 Domain + 1 domain + syncronised users = possible?
    By tarquel in forum Wireless Networks
    Replies: 52
    Last Post: 30th October 2006, 03:08 PM
  4. RC1 on Win2k3 (R2) Domain
    By Gatt in forum Windows Vista
    Replies: 11
    Last Post: 19th September 2006, 10:56 PM
  5. Replies: 15
    Last Post: 15th September 2006, 10:01 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •