In my environment, does a new Forest makes more sense ?

  • Thread starter Thread starter Marlon Brown
  • Start date Start date
M

Marlon Brown

This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some more.

Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.

The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?
 
Marlon Brown said:
This is a school district environment,
3,000 staff accounts
15,000 student accounts

Students can't handle to change passwords very often. Staff is doing alright
with existing security policies, and I am planning to tight them some
Click to expand...
more.

Sounds like a separate DOMAIN (not forest) based
on the above...
Question is this:
If I setup a child domain for students, that would give the two-way trust
relantioship and that's simple to set up.
Click to expand...

Yes. Sharing resources would be easier than
with a separate forest.
That said I thought I could take advantage of forest trust in Win2003. I
mean, if in the future I provide printers and servers dedicated for the
students, I think I could set a one-way trust relantioship where
"STUDENTFOREST" trusts "STAFF_FOREST" that way teachers and staff could
still access student resources safely.
Click to expand...

If you know you wish to share resources it almost
certainly should be the same forest.

Very few people need separate forests.

The two classic reasons for separate forests are:

1) Different Schemas

2) Complete autonomy (separation of control/administration)
The problem is that I have heard people saying that I should go with domains
instead of separate forests. Anyone there has any negative experience with
FOREST management in Win2003 ?
Click to expand...

No, but if you are going to use the same schema and
are going to share resources anyway then it doesn't
make sense to have separate forests in most cases.

How many sets of admins? One set of admins pretty
much seals the issue for a single forest.

If it were separate companies (enterprises, etc.) or
the multiple sets of admins wanted complete separation
of control then two forests might make sense.
 
Back
Top