DNS Config

  • Thread starter Thread starter Harold
  • Start date Start date
H

Harold

I need help on convincing my boss on why we should set up
a network like below.

scaquarium.org
retail.scaquarium.org
admissions.scaquarium.org

She wants to set up everything such as below.
scaquarium.org
retail.org
admissions.org

She says that my way will cause more network traffic, and
allow everybody access to the retail and admissions sub
domain. She believes that my way people will have to talk
to scaquarium.org and then to retail.scaquarium.org and
the same with admissions if they need info from one of
those 2 sub domains.

I can't get her to understand that they are still seperate
domains just subdomains with in scaquarium.org and that it
goes retail then scaquarium not the other way around.

We have a nt4.0 domain now and moving to w2k and I would
like to setthings up using the microsoft way instead of by
paperclips and glue (see another post from me under file
systems)

Thanks,
Harold
 
In Harold <[email protected]> posted a question
Then Kevin replied below:
: I need help on convincing my boss on why we should set up
: a network like below.
:
: scaquarium.org
: retail.scaquarium.org
: admissions.scaquarium.org
:
: She wants to set up everything such as below.
: scaquarium.org
: retail.org
: admissions.org
:
: She says that my way will cause more network traffic, and
: allow everybody access to the retail and admissions sub
: domain. She believes that my way people will have to talk
: to scaquarium.org and then to retail.scaquarium.org and
: the same with admissions if they need info from one of
: those 2 sub domains.
:
: I can't get her to understand that they are still seperate
: domains just subdomains with in scaquarium.org and that it
: goes retail then scaquarium not the other way around.
:
: We have a nt4.0 domain now and moving to w2k and I would
: like to setthings up using the microsoft way instead of by
: paperclips and glue (see another post from me under file
: systems)
:
: Thanks,
: Harold

It would be certainly a lot easier using your method, and a lot less
confusing.
Setting the domains up as your boss wants if not done correctly can make it
impossible to access resources in the other domains.
When using child domains two way trust between the child domains and their
parent domain is inherent. Network activity can be reduced by creating a
Secondary DNS zone for the parent on each of the child DNS servers, then
making a child DC at each location a Global Catalog.
The parent DC would remain the Schema Master and the Naming master. It would
be extremely important to have more than one DC in the parent domain, even
if only one holds all five FSMO roles. At least if one goes down and cannot
be recovered , you can seize the roles.

Using your boss's method, depending on how it is done, you could end up with
three separate forests, with no trust between them.
Here is a statement taken from a MCP test about this very subject:
Some companies, such as the one in this question, need a single tree to
support their enterprise. All domains forming a tree or forest can share
their resources globally.
So the question does your boss want
1. One forest with one tree.
2. One forest with three trees.
3. Three forests with one tree each.

For most companies option one gives you much easier administration tasks,
because you have Enterprise admins for the entire forest and domain admins
for each domain in the tree.
 
In
Kevin D. Goodknecht said:
In

It would be certainly a lot easier using your method, and a lot less
confusing.
Setting the domains up as your boss wants if not done correctly can
make it impossible to access resources in the other domains.
When using child domains two way trust between the child domains and
their parent domain is inherent. Network activity can be reduced by
creating a Secondary DNS zone for the parent on each of the child DNS
servers, then making a child DC at each location a Global Catalog.
The parent DC would remain the Schema Master and the Naming master.
It would be extremely important to have more than one DC in the
parent domain, even if only one holds all five FSMO roles. At least
if one goes down and cannot be recovered , you can seize the roles.

Using your boss's method, depending on how it is done, you could end
up with three separate forests, with no trust between them.
Here is a statement taken from a MCP test about this very subject:
Some companies, such as the one in this question, need a single tree
to support their enterprise. All domains forming a tree or forest can
share their resources globally.
So the question does your boss want
1. One forest with one tree.
2. One forest with three trees.
3. Three forests with one tree each.

For most companies option one gives you much easier administration
tasks, because you have Enterprise admins for the entire forest and
domain admins for each domain in the tree.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
Click to expand...

Just to add, a domain is a separate entity, whether a child or not in the
same tree or different tree. A domain is a "logical" boundary and a
"security" boundary. Each domain has their own security settings, such as
password and account settings and are separate from other domains.

Analogize a domain as your home on your street. You are the domain admin of
YOUR domain (home) only. A domain admin (of one domain, say it's your home),
cannot go into your neighbors' home and into the refrigerator to grab a
beer. The domain admin of the other domain (your neighbor's) needs to
specifically allow the other domain admin permissions into it. So to make
that work, you would follow the ADGLP (mixed mode) or ADDGLUUP (native)
where the domain admin of that domain (home) would add the domain admins of
your domain (home) to the Local Refridgerators Group. Then they give that
Local Refridgerators Group permissions to access the fridge.

Traffic between domains is minimal, only Config and Schema data (text based
only data) is replicated between them. Replication between DCs within a
domain involves those two containers plus the DomainNC partition, which
heavier traffic and some binary (blob) based data which includes user/group
and other domain specific data (which has nothing to do with other domains
since this stuff is domain specific).


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thank-you both. This is some very good information that
I forgot myself since class.

Harold
 
Back
Top