intraforest migration - universal group questions

Hello,

I am performing an intraforest migration where we will have one empty root
domain .local (currently our only domain) and have several subdomains beneath
this root. The subdomains are needed for different security requirements etc.


Here's the steps:

1. create subdomains for each of our regions
2. they will have they own security policies, user rights assignments,
auditing etc
3. subdomains also have their own replication, ie they will only replicate
to DC's within their own subdomain and not to any domain. This can control
replication.
4. the root domain will eventually be 'empty' ie only serve as a placeholder
that contains only the root domain DC's, and these DC's will only replicate
to each other and not the any subdomain DC's.
5. Add the subdomain info into RUS on the root exchange 2003 server, so
users in the subdomains can get emails.

With me so far?

So each subdomain has it's own users, computers and printers but still they
can share distribution lists and security groups (universal security groups).
If we choose the default security groups wisely, roaming users won't have any
problem logging on in a different office.

My questions is:

1. Is it best to just convert all our groups into Universal groups so that
a) all our users can logon to any office they visit while travelling and b)
so resources can be accessed from anywhere? We currently have one forest that
is both 2003 domain and forest functional level.

2. Would it be best to just leave these converted universal groups in the
root domain, or move them to their respective subdomains? But only migrate
the users over?

3. Is it required to run /domainprep when creating the subdomains? I suppose
this is best done before promoting the server to AD?

Our setup isn't huge - we have about 24 sites around the globe which
currently have less than 400 users total. We will be using ADMT v3 for
migrating users.

But our main concern is roaming users being able to logon in another office
etc...how can this be best accomplished given the above?

Please advise.

Thanks,
Taz

Hello Taz1972,

Again:
Please stop posting the same question again and again. If somebody here is
finding the solution for your problem or have advice for you, you will get
an answer. Just posting the same question will multiple times will not speed
it up.

If you have problems to find your posting, use a newsreader like outlook
express to access the newsgroups and find them. All your postings are listed
correct and readable.



Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> I am performing an intraforest migration where we will have one empty
> root domain .local (currently our only domain) and have several
> subdomains beneath this root. The subdomains are needed for different
> security requirements etc.
>
> Here's the steps:
>
> 1. create subdomains for each of our regions
> 2. they will have they own security policies, user rights assignments,
> auditing etc
> 3. subdomains also have their own replication, ie they will only
> replicate
> to DC's within their own subdomain and not to any domain. This can
> control
> replication.
> 4. the root domain will eventually be 'empty' ie only serve as a
> placeholder
> that contains only the root domain DC's, and these DC's will only
> replicate
> to each other and not the any subdomain DC's.
> 5. Add the subdomain info into RUS on the root exchange 2003 server,
> so
> users in the subdomains can get emails.
> With me so far?
>
> So each subdomain has it's own users, computers and printers but still
> they can share distribution lists and security groups (universal
> security groups). If we choose the default security groups wisely,
> roaming users won't have any problem logging on in a different office.
>
> My questions is:
>
> 1. Is it best to just convert all our groups into Universal groups so
> that a) all our users can logon to any office they visit while
> travelling and b) so resources can be accessed from anywhere? We
> currently have one forest that is both 2003 domain and forest
> functional level.
>
> 2. Would it be best to just leave these converted universal groups in
> the root domain, or move them to their respective subdomains? But only
> migrate the users over?
>
> 3. Is it required to run /domainprep when creating the subdomains? I
> suppose this is best done before promoting the server to AD?
>
> Our setup isn't huge - we have about 24 sites around the globe which
> currently have less than 400 users total. We will be using ADMT v3 for
> migrating users.
>
> But our main concern is roaming users being able to logon in another
> office etc...how can this be best accomplished given the above?
>
> Please advise.
>
> Thanks,
> Taz

Hi
Please see inline:
> 1. create subdomains for each of our regions

Are you sure about this? This decision can significaly change your AD
design, complexity, hardware requirements and admin work. Why a Domain for
each region?

> 2. they will have they own security policies, user rights assignments,
> auditing etc

You can define and delegate OU where they can define their own settings
including those. DCs are a special situation, but to define security
boundaries you need a new Forest NOT a new domain.

> 3. subdomains also have their own replication, ie they will only replicate
> to DC's within their own subdomain and not to any domain. This can control
> replication.

Remember each DC must have a full replica of schema partition, Configuration
Partition, it's own Domain partition and partial replica of the other
domains for local GCs, and, perhaps some app partitions within AD. Regarding
to replication, you're not avoiding anything, at least one DC must replicate
with other DCs ~in other domains to get that info, and, of course they'll
replicate it to other closest DCs, at the end EVERY DC gets the necessary
info to perform its job. If you KILL the replication, or if you NOT allow
replication for a given DC or set of DCs, those DCs will be dead for the
forest when the Tombstonelifetime expires.

> 4. the root domain will eventually be 'empty' ie only serve as a
> placeholder
> that contains only the root domain DC's, and these DC's will only
> replicate
> to each other and not the any subdomain DC's.

And that Domain will be one of the most important ones, if you loose that
one, you'll loose the entire forest, you should have at least 2 DCs or more
for that one, the same thing for the child domains... Now start counting...
-Active Directory domains, unlike Windows NT domains, are always part of a
forest, and they are not themselves the ultimate security boundary. For
Windows 2000 and later networks, though, domains are the boundaries for
administration and for certain security policies, such as password
complexity and password reuse rules, which cannot be inherited from one
domain to another. Each Active Directory domain is authoritative for the
identity and credentials of the users, computers, and groups that reside in
that domain. However, service administrators have abilities that cross
domain boundaries. For this reason, the forest is the ultimate security
boundary, not the domain.

> 5. Add the subdomain info into RUS on the root exchange 2003 server, so
> users in the subdomains can get emails.

Yep, Sub domains should have their domain prepared for Exchange extensions,
another thing that you could avoid if you had a single domain. Remember,
you're talking about only to exchange, but when you start with other App
requirements and forest wide changes things may be start to become more
complex, no to mention more admin work, hardware, etc...

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
news:B433FF7E-4872-4D4A-B540-6B3C1B632981@microsoft.com...
> Hello,
>
> I am performing an intraforest migration where we will have one empty root
> domain .local (currently our only domain) and have several subdomains
> beneath
> this root. The subdomains are needed for different security requirements
> etc.
>
>
> Here's the steps:
>
> 1. create subdomains for each of our regions
> 2. they will have they own security policies, user rights assignments,
> auditing etc
> 3. subdomains also have their own replication, ie they will only replicate
> to DC's within their own subdomain and not to any domain. This can control
> replication.
> 4. the root domain will eventually be 'empty' ie only serve as a
> placeholder
> that contains only the root domain DC's, and these DC's will only
> replicate
> to each other and not the any subdomain DC's.
> 5. Add the subdomain info into RUS on the root exchange 2003 server, so
> users in the subdomains can get emails.
>
> With me so far?
>
> So each subdomain has it's own users, computers and printers but still
> they
> can share distribution lists and security groups (universal security
> groups).
> If we choose the default security groups wisely, roaming users won't have
> any
> problem logging on in a different office.
>
> My questions is:
>
> 1. Is it best to just convert all our groups into Universal groups so that
> a) all our users can logon to any office they visit while travelling and
> b)
> so resources can be accessed from anywhere? We currently have one forest
> that
> is both 2003 domain and forest functional level.
>
> 2. Would it be best to just leave these converted universal groups in the
> root domain, or move them to their respective subdomains? But only migrate
> the users over?
>
> 3. Is it required to run /domainprep when creating the subdomains? I
> suppose
> this is best done before promoting the server to AD?
>
> Our setup isn't huge - we have about 24 sites around the globe which
> currently have less than 400 users total. We will be using ADMT v3 for
> migrating users.
>
> But our main concern is roaming users being able to logon in another
> office
> etc...how can this be best accomplished given the above?
>
> Please advise.
>
> Thanks,
> Taz
>

I absolutly agree with Jorge, In future if u want consistency accross
all ur domain , it will be a challange , every task u perform have to
perform atleast 3 or 4 times (in each domain)

Also the MS best practice to use an empty root domain and subdomains -
i would say its outdated , now a days bandwidth cost significantly
decreased, and other factors also changed.
I would really consider using a single domain, and use other methods
for security , delegation etc.

Win2K8 is coming with prettty good features like RODC etc.. may be a
good oppurtnuity for u.

rgds