Place holder root domain advantage

I've been struggling with a domain design to choose. I've always read that
it is best practice design to create an empty place holder root domain to
hold the enterprise admin group and to hold the forest schema operations
role. Then have another domain to hold all users/groups/computers. The
alternative being one domain, that holds all of the above.

There is obviously additional hardware costs associated with the empty place
holder domain, but there isn't going to be much administrative overhead
since the domain is going to me basically unused.

What are the underlying reasons why the place holder root domain is setup
and should this domain design be favored in a large enterprise organization
vs the single domain model?

You've stated the basic reasons. A place holder for the tree, offering a
contiguous namespace, as well as hiding the EA and Schema Admins.

In the past, back in the early 2000 days, it was the basic thinking to use
an empty root. However, the design mentality of an empty root has changed
with increased features and changes in 2003 security, or basically because
of budget. So the most common designs are simply one domain unless you need
across the pond or business partner migrated domains in a decentralized
delegation. Keep in mind, you can protect a single domain design by keeping
everyone else out of the Domain Admins group and use OU or specific
delegation.

I remember at one point when arguing about having an empty root or just one
domain, that as a child domain admin, I was able to access certain parts of
the containers using ADSI Edit and could have done damage for the forest. So
why bother with the empty root? But like I said, security has changed.

I remember you posted before about Exchange design concerns, but not sure if
we discussed number of users and Sites, or other specifics for a directory
service. How many users? Sites?

Thank you Ace, that information is very helpful.

We are presently planning our migration strategy to seperate from our parent
company and form our own independent company.

We will be implementing Windows 2008 ADDS and migrating over approximately
800 user accounts and 900 Exchange mailboxes. I believe the present
environment is Windows 2003 AD (running in 2000 native mode) with Exchange
2003. We will be forming 3 AD sites. One site will be for our corporate
office location, one for our data center facility located offsite, and one
for regional offices in another part of the country. We at present do not
have any international presence but that it is very likely we will. I've been
questioning whether we need to have seperate sites for our data center and
corporate office, but they will be seperated by a WAN link, I think for
replication purposes and making sure users hit a DC on the subnet at
corporate before trying to hit one at the data center we should have seperate sites defined.

With this fairly simple break out and small number of users (we are
expecting to almost double our size in about 2 yrs) would a single model
domain make the most sense?

If a user was a domain admin in this model, what prevents them from
modifying attributes that can effect the whole forest rather than just the
domain? This domain would hold the forest schema, would domain admins have
access to make changes to that or only Enterprise Admins?

Thanks Paul. What AD version prompted this best practice change?

I have a follow up question. Old best practice said to not use your
routeable internet domain name as the domain for your forest root domain. Is
that still a best practice or do to enhanced security does that no longer
matter as well?

Everything I've read, at least for older AD installations, that a domain
admin in a single forest root domain model, could gain enterprise admin
permissions and modify the schema and cause forest wide damage. I was hoping
to avoid that security issue. Is that scenario even possible in AD 2008?

This is no longer a recommended strategy. Microsoft now recommends to keep
it as simple as possible with as few domains as your enterprise can use.

If I recall correctly it started with the release of AD (2000).

That is the recommend course strategy, but to be honest we don't follow
that. I don't know if it was security related or just the fact you need to
be able to manage dns and not expose your internal boxes ip addresses, which we do both.

Any admin in a forest, if smart enough can work to gain permissions to
become an enterprise admin. Security boundaries are between forests.

I would like to add about not using the same external name is it's less DNS
administrative overhead of having to create shadow records internally so
internal folks can access the external website, assuming it's hosted
externally. Also a biggy is that internal folks cannot access an externally
hosted site using the URL without the 'www' portion because that record get
registered by each DC in a domain. There are ways around it, but the truth
of the matter comes back to the additional administrative overhead.

As for a single domain, that's as secure as it's going to get even compared
to having an empty root. Just keep control of your admin and admin rights.

Hi Rand,

Have you completed your project. Because right now i am having same scenario.. if you completed this project can you guide me to implement by providing domain structure.

I need to sumbit the proposal to the management.

There is no longer the recommended scenario to create an empty forest root.
You should describe what you want to provide for your company and someone
within this forum should be able to give you a starting point, but you will
have to do some work for this yourself. You know your compnay much better
than anyone else.

I completely agree. If Sankar read through the thread, my comments are embedded regarding this mindset was from the early Windows 2000 days and no longer followed nor recommended for any sort of security benefits, other than a namespace benefit (if that).

Sankar, please read my comments in this thread (below in this post). After reading through it, describe your scenario such as how many users, locations, delegation requirements, have you acquired any companies and migrated them in, etc, to help. But all in all, as Paul said, any AD design is soley based on your company. There is no such thing as a cookie cutter design.

Firstly my thanks to Mr.Paul and Mr.Ace. (to be honest i didnt expected so quick response :):):))

Ok Here i would like to give small overview about current strcuture and future expected plan. this is for my customer

Current scenario:

Right now they have 5 sites(branches) (A, B, C, D, E) and each has its own forest. Site A is having 2 child domains respectively for 2 more branch offices. each sites are interconnected with Trust relationship. (windows 2003) The total number of users are nearly 1600

The funniest and strange thing is Site is having 300 active users and 750 Secuirty groups. And there are more 350 Group policy setting. The same scenario will apply to all the branches.

And another big issues is Each site administrator is having differnt opinion, which is really blocking any further implementation. So Customer decided to move everythig to one centralized locatoin (in DC) and they approached us. Now i am proposing 3 domain scenarios. theyare *which also tells about future plan

Scenario 1:

Mutli-Domain Forest:

<Root Doamin> for ex: Root.com

Root.com-->

A.Root.com, B.Root.com, C.Root.com like that each seperate domains for each branch office.

Scenario 2:

Single Domain Forest:

Root.com

And the branches will be clasifed by OU and each branch will have Either ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)

Scenario 3:

Single Domain forest with emtpy root domain

Empty.com

Root.Empty.com (which will contain all resources)

And the branches will be clasifed by OU and each branch will have Either ADC (if we are stick with W2K3) or RODC (if we are going with W2K8)

Sorry for too long data.. guide me with you suggestion

The WAN connectivity will not be a bottleneck since each branches connected with 100mbps MPLS Cloud.

My only concern about where to PUT file servers and DHCP servers and other Application servers. We are also finding solution for Centralizing Citrix servers so Printing solution will be taken care by Citrix (I hope).

I will tell you the most difficult piece you will experience is the
political acceptance of the new topology. Unclear as to why there are so
many different forests, but you will have to get the support from the head
of the corporation to get this done. People will do whatever it takes (From
my experience) to not lose control of what they already have.

My suggestion:
Deploy a Windows 2008 or Windows 2008 R2 single domain forest. You have
plenty of bandwidth, so you should be able to use Active Directory
Iintegrated dns and each site should be able to host their own dhcp server.

With a single domain model, you should be able to deploy dc's at each site
and delegate the local administer control over an OU of their branch. If
they have seperate password policies, with 2008 or 2008 R2, you can leverage
Fine Grained Password Policies so that should help with that argument as
well. I would STRONGLY urge you to not let any of the remote sites be a
domain or forest admin. I would even consider using Read Only DC's at the
remote sites if you can't get the dc's in a safe and secure location. With
Group Policy you should be able to reign in some of the policies it sounds
like are currently being used. not sure how many policies you have but with
350 settings that has to be 10+ policies and I'm guessing it is probably
closer to 50. At 4 meg per policy and if you have 50 gpo's that is 200 meg
being shipped around in templates alone. GPO's in 2008 get control of the
template issue and if you have a Microsoft Software Assurance (SA)agreement
you can use the Advanced Group Policy Management for gpo change management.
With SA you also can use Application Virtualization (APP-V), something you
should look at if you ae having Citrix issues. We have almost eliminated
terminal services with APP-V within our organization and there is zero
license cost to use it.

[melry88]

Everyone,

I just wanted to add that this is still a highly recommended path from Microsoft. I read above in other posts that it was not so I started to read the Windows 2008 AD Resource Kit. The resource kits states that if you are using a forest with multiple domains that it is "strongly" recommended to also use an empty root. This is listed on page 215 under "Best Practices".

I am not trying to start a flaming war, but I wanted to make sure other readers fully understand Microsoft's approach to this.

Thanks....