Re: multiple Domains under one domain or multiple forests under one forest

I will mention that you need to be careful due to certain rules for
individual counties. Many years ago when I had dealings internationaly
there were rules you had to follow when you crossed borders such as what you
refer to.

The biggest difference between the domain and forest is, the security
boundary is the forest not the domain.
http://technet.microsoft.com/en-us/l...79(WS.10).aspx

Within 2003 and before if you wanted to have seperate password policies you
were forced into having seperate domains, now with 2008 and beyond this is
no longer the case with FGPP's.
http://technet.microsoft.com/en-us/l...42(WS.10).aspx

If you have a single domain (As long as you can get by all the laws) it is
by far the easiest maintenance and the one I would recommend. You have to
be really good at not handing out the admin authority, since you lose all
control, so will you be able to have a single (Central Location) management
style? You want to learn to delegate authority.
http://www.microsoft.com/downloads/d...DisplayLang=en

Multiple domains with your Enterprise location being the root domain with
the Enterprise Admin control would be your next best option. Trusts (2003
and beyond) are transitive but you still have to deal with trust issues.
Forest trusts just add another level of complexity but add needed security
as outlined above.

To be define the standard, it is recommended to have as few forests and
domains as possible while keeping your Enterprise secure.



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Rush" <> wrote in message
news:461c7a0c-3543-41ed-8815-...
I have to research on below scenario.

Asia regional countries are in separate forests/single domains
Europe has forest and child domains. Europe is separate systems only
connected via WAN only.
Our proposal was make one forest under Europe as ‘APAC’, and then we
will migrate regional counties under to APAC forest to appropriate
Trees.
Europe proposed that instead of creating APAC migrate all the Asia
regional forest to one of Europe Domain.
As example, migrate all Asia user accounts to Germany domain under
Europe forest. for me putting every domain to one domain sounds messy
for me should operate by forest wise under main forest.

Can you please tell me what are the pros and cons of 2 proposals and
what most suitable or standard way is?

Each country has their own rules. You would have to check with their state
department. I think things have some what relaxed over the past few years,
but I would check.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Rush" <> wrote in message
news:b7c790ea-478d-4077-8354-...
Dear Paul,

Thank you so much for your detail answer.
Your professional answer fill lots of empty spaces of my knowledge
regarding Forest architecture. I will go though with links you send
to me and I'm sure i can get much more details from those links. I
have a clear vision now thanks to you.

Do you know a website or link to check rules that apply for crossed
borders?


On Nov 19, 10:35 pm, "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com>
wrote:
> I will mention that you need to be careful due to certain rules for
> individual counties. Many years ago when I had dealings internationaly
> there were rules you had to follow when you crossed borders such as what
> you
> refer to.
>
> The biggest difference between the domain and forest is, the security
> boundary is the forest not the
> domain.http://technet.microsoft.com/en-us/l...79(WS.10).aspx
>
> Within 2003 and before if you wanted to have seperate password policies
> you
> were forced into having seperate domains, now with 2008 and beyond this is
> no longer the case with
> FGPP's.http://technet.microsoft.com/en-us/l...42(WS.10).aspx
>
> If you have a single domain (As long as you can get by all the laws) it is
> by far the easiest maintenance and the one I would recommend. You have to
> be really good at not handing out the admin authority, since you lose all
> control, so will you be able to have a single (Central Location)
> management
> style? You want to learn to delegate
> authority.http://www.microsoft.com/downloads/d...D=631747a3-79e...
>
> Multiple domains with your Enterprise location being the root domain with
> the Enterprise Admin control would be your next best option. Trusts (2003
> and beyond) are transitive but you still have to deal with trust issues.
> Forest trusts just add another level of complexity but add needed security
> as outlined above.
>
> To be define the standard, it is recommended to have as few forests and
> domains as possible while keeping your Enterprise secure.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Rush" <rasi...@gmail.com> wrote in message
>
> news:461c7a0c-3543-41ed-8815-...
> I have to research on below scenario.
>
> Asia regional countries are in separate forests/single domains
> Europe has forest and child domains. Europe is separate systems only
> connected via WAN only.
> Our proposal was make one forest under Europe as ‘APAC’, and then we
> will migrate regional counties under to APAC forest to appropriate
> Trees.
> Europe proposed that instead of creating APAC migrate all the Asia
> regional forest to one of Europe Domain.
> As example, migrate all Asia user accounts to Germany domain under
> Europe forest. for me putting every domain to one domain sounds messy
> for me should operate by forest wise under main forest.
>
> Can you please tell me what are the pros and cons of 2 proposals and
> what most suitable or standard way is?

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:...

To add, I know, for example, France and the US have different policies. At
one place I worked at with a global presence, we had to create a separate
domain in our forest for France. The same with England, Italy and China.
They are just a few countries we have a corporate presence. Each domain has
their own domain administrators, but we have control of the forest root
domain. A global policy existed but was customized and/or re-worded based on
individual countries. The legal department researched this heavily in order
to put together compliance, regulatory and other guidelines for each
country. We made the policies based on their research. The US location has
the forest root, which we controlled, in addition there is a domain for US
users. We do not use the forest root for user or group accounts. It's an
empty root.

For Rush, I would suggest for the legal departments in each of your
company's countries to pull their resources together to establish rules
based on each country's government laws, to come up with a working solution.
But all in all, I agree with Paul's assessment to basically create a single
forest, emtpy root design, with domains for each country including a
separate domain for the corp office country.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

> Each country has their own rules. You would have to check with their
> state department. I think things have some what relaxed over the past few
> years, but I would check.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Rush" <> wrote in message
> news:b7c790ea-478d-4077-8354-...
> Dear Paul,
>
> Thank you so much for your detail answer.
> Your professional answer fill lots of empty spaces of my knowledge
> regarding Forest architecture. I will go though with links you send
> to me and I'm sure i can get much more details from those links. I
> have a clear vision now thanks to you.
>
> Do you know a website or link to check rules that apply for crossed
> borders?
>
>
> On Nov 19, 10:35 pm, "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com>
> wrote:
>> I will mention that you need to be careful due to certain rules for
>> individual counties. Many years ago when I had dealings internationaly
>> there were rules you had to follow when you crossed borders such as what
>> you
>> refer to.
>>
>> The biggest difference between the domain and forest is, the security
>> boundary is the forest not the
>> domain.http://technet.microsoft.com/en-us/l...79(WS.10).aspx
>>
>> Within 2003 and before if you wanted to have seperate password policies
>> you
>> were forced into having seperate domains, now with 2008 and beyond this
>> is
>> no longer the case with
>> FGPP's.http://technet.microsoft.com/en-us/l...42(WS.10).aspx
>>
>> If you have a single domain (As long as you can get by all the laws) it
>> is
>> by far the easiest maintenance and the one I would recommend. You have to
>> be really good at not handing out the admin authority, since you lose all
>> control, so will you be able to have a single (Central Location)
>> management
>> style? You want to learn to delegate
>> authority.http://www.microsoft.com/downloads/d...D=631747a3-79e...
>>
>> Multiple domains with your Enterprise location being the root domain with
>> the Enterprise Admin control would be your next best option. Trusts (2003
>> and beyond) are transitive but you still have to deal with trust issues.
>> Forest trusts just add another level of complexity but add needed
>> security
>> as outlined above.
>>
>> To be define the standard, it is recommended to have as few forests and
>> domains as possible while keeping your Enterprise secure.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Rush" <rasi...@gmail.com> wrote in message
>>
>> news:461c7a0c-3543-41ed-8815-...
>> I have to research on below scenario.
>>
>> Asia regional countries are in separate forests/single domains
>> Europe has forest and child domains. Europe is separate systems only
>> connected via WAN only.
>> Our proposal was make one forest under Europe as ‘APAC’, and then we
>> will migrate regional counties under to APAC forest to appropriate
>> Trees.
>> Europe proposed that instead of creating APAC migrate all the Asia
>> regional forest to one of Europe Domain.
>> As example, migrate all Asia user accounts to Germany domain under
>> Europe forest. for me putting every domain to one domain sounds messy
>> for me should operate by forest wise under main forest.
>>
>> Can you please tell me what are the pros and cons of 2 proposals and
>> what most suitable or standard way is?
>
>

"Rush" <> wrote in message
news:7ca1b9ad-3644-4bde-91ae-...
> Ace,
> The countries you mentioned, its in our major countries list,
> currently which we are deling with.
> So thanks to you guys, i know where to look ,where to go and what to
> do, even as an idea wise.
> Have a nice day. Appreciate it.

No problem. I would first suggest to start with legal, and work from there.

Good luck!

Ace