Hi,
From my understanding it used to be the case that the 'best practice' AD
design was to have a parent domain and then a child domain with users/groups
etc. due to issues with security boundaries separation.
Is it the case that now the classical design is to have one domain and to
have a delegated security model and to closely monitor and restrict group
membership to such groups as schema admins?
if yes, does anyone have any links to references for this view?
regards,
Bookmarks