Domains/subdomains

I've inherited a small active directory where all domain administration has
been done at the subdomain level. For example, my domain looks like this:

companyusa.companyname.com

All nodes are members of companyusa and all work is done there. But I've
begun to wonder if the higher domain name (companyname) is something that
should be accessible to network administrators? Does it make sense that
when this active directory was set up, no accounts or work was ever done at
the top level?

Thoughts?

Thanks!

Mark,
Are you conveying that your root domain is currently not managed at all? If
so, that's certainly something you should resolve sooner rather than later.
What's the membership of Enterprise Admins and Schema Admins group? Which
domain do domain controllers hosting Schema Master and Domain Naming Master
roles reside in?

Marcin

"Mark" <mark@nospam.com> wrote in message
news:eNpxqMNKJHA.5692@TK2MSFTNGP04.phx.gbl...
> I've inherited a small active directory where all domain administration
> has been done at the subdomain level. For example, my domain looks like
> this:
>
> companyusa.companyname.com
>
> All nodes are members of companyusa and all work is done there. But I've
> begun to wonder if the higher domain name (companyname) is something that
> should be accessible to network administrators? Does it make sense that
> when this active directory was set up, no accounts or work was ever done
> at the top level?
>
> Thoughts?
>
> Thanks!

Mark:

My first thought would be that whoever set up AD did so with an empty forest
root domain. This is not uncommon, and there are reasons for doing that. See
http://technet.microsoft.com/en-us/l.../cc268205.aspx for some info on
this type of setup.

As long as you have the administrator password for the root domain, you are
fine. There's no need to logon to that domain or do administration, on a
daily basis. There will be times when you might need to make some changes at
that level, at which time you'll need to logon to it.

--
Regards,
Mel K, MCSA: M

"Mark" <mark@nospam.com> wrote in message
news:eNpxqMNKJHA.5692@TK2MSFTNGP04.phx.gbl...
> I've inherited a small active directory where all domain administration
> has been done at the subdomain level. For example, my domain looks like
> this:
>
> companyusa.companyname.com
>
> All nodes are members of companyusa and all work is done there. But I've
> begun to wonder if the higher domain name (companyname) is something that
> should be accessible to network administrators? Does it make sense that
> when this active directory was set up, no accounts or work was ever done
> at the top level?
>
> Thoughts?
>
> Thanks!

Years ago the recommended strategy was to set up an empty root domain. This
strategy has now been abandoned. There isn't anything wrong with what you
have but it is just one more domain to manage.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mark" <mark@nospam.com> wrote in message
news:eNpxqMNKJHA.5692@TK2MSFTNGP04.phx.gbl...
> I've inherited a small active directory where all domain administration
> has been done at the subdomain level. For example, my domain looks like
> this:
>
> companyusa.companyname.com
>
> All nodes are members of companyusa and all work is done there. But I've
> begun to wonder if the higher domain name (companyname) is something that
> should be accessible to network administrators? Does it make sense that
> when this active directory was set up, no accounts or work was ever done
> at the top level?
>
> Thoughts?
>
> Thanks!

Hello mark,

This is an older design structure. Today this is not longer used/recommended.
Basically you have one more domain, that's all.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've inherited a small active directory where all domain
> administration has been done at the subdomain level. For example, my
> domain looks like this:
>
> companyusa.companyname.com
>
> All nodes are members of companyusa and all work is done there. But
> I've begun to wonder if the higher domain name (companyname) is
> something that should be accessible to network administrators? Does
> it make sense that when this active directory was set up, no accounts
> or work was ever done at the top level?
>
> Thoughts?
>
> Thanks!
>

I agree with the responses that state the old recommendation was to use an
empty forest root domain. However, I do not agree that this is not longer
required/recommended. It is still recommended under certain circumstances.
My main point is that if an empty forest root domain exists in your forest,
there must be a reason for it. The reason can be as simple as someone was
following a previous best practice. However, you need to fully understand
your company’s forest design requirements to determine whether or not the
forest domain should be an empty domain. Here is a link that will aid you in
this: http://technet.microsoft.com/en-us/l.../cc730924.aspx. Also keep in
mind that requirements change over time.
At this point, you do not have much choice. The forest root domain cannot be
changed without scraping your current AD forest design.

--
John Policelli

Blog: http://johnpolicelli.wordpress.com

This posting is provided "AS IS" with no warranties and confers no rights!
Always test before proceeding.


"Meinolf Weber" wrote:

> Hello mark,
>
> This is an older design structure. Today this is not longer used/recommended.
> Basically you have one more domain, that's all.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've inherited a small active directory where all domain
> > administration has been done at the subdomain level. For example, my
> > domain looks like this:
> >
> > companyusa.companyname.com
> >
> > All nodes are members of companyusa and all work is done there. But
> > I've begun to wonder if the higher domain name (companyname) is
> > something that should be accessible to network administrators? Does
> > it make sense that when this active directory was set up, no accounts
> > or work was ever done at the top level?
> >
> > Thoughts?
> >
> > Thanks!
> >
>
>
>