Active Directory - Organizational Units or Discrete Domains? 27
flosofl asks: "I work for a large (1,000+ emp.) company and will be in charge of its Active Directory implementation. Our company is in turn owned by a much larger corporation (15,000+ emp.), but we are for the most part autonomous in terms of managing our internal IT dept. Since the larger corporation has ADS in place, they want us to roll in as an OU in their domain (xxx.com). I want to be a child domain (yyy.xxx.com). The SAP portal relies on LDAP and we are told it would not work correctly with a multi-domain model. I on the other hand want total control over MY domain (yes, I know as a parent domain they could do what they want - the illusion is enough). My question is, has anyone been in this type of situation before? How did you resolve it, and did it work? I am worried I am reacting more from a 'you can't play with my toys' than a legitimate tech/business reason. I want to use the method that will work best (which may not be the one I want). Any comments would be appreciated."
OU (Score:5, Insightful)
Also, since you indicated that applications require you to use the OU model, you should use it.
Talk to the AD admins and get them to grant you administrative authority over everything within your OU. You might even be able to offload some of the more menial roles that you perform to the larger IT group.
be a tree in the forest (Score:4, Insightful)
Obviously if your Enterprise IT dept can't or won't do the schematic work required to create an AD Forest with multiple trees, or your vendor's can't or won't ship an SAP product that supports them, you are screwed and will end up as another OU in the AD.
Being a sub-domain in a single tree is just a bad idea all around for this circumstance - its not like you want to have a truely subordinate entity with local administration like a research lab or a test network.
Re:Future proofing (Score:2, Interesting)
Re:Future proofing (Score:1, Troll)
Bitter, but true. After all, we can only consider `us' (the unsinkable Microsoft) and `them' (the mysterious `them' that Microsoft employees and syncophants chant about killing during their rallies).
Off topic? But we're on SlashDot! (-:
Re:Future proofing (Score:2)
Re:Future proofing (Score:1)
Re:Future proofing (Score:1)
Re:Future proofing (Score:2)
Maybe [billparish.com]. If so, AD users will find themselves standing on thin air over a cesspit at the time. Either way, sooner ot later AD will be a dead end. Trust me on this one, Microsoft will obselete it one day, and force users into The Next Great White Hope<*>, whatevere that turns out to be.
He doesn't say that they're an all-Borg shop, or that
Flamebait? Oh, well... click... whoosh! (-: (Score:2)
take cluestick
weild cluestick
If that little piece of crackspeak were true, what are IBM doing supporting it? Why do Google use it exclusively? Why are Linux-based supercomputing clusters filling up the top 500? Why are Fortune 500s like Merryl Lynch contributing to it?
Thank you for playing, here's your gold-plated tie pin, now nick off.
Re:Flamebait? Oh, well... click... whoosh! (-: (Score:1)
Re:Flamebait? Oh, well... click... whoosh! (-: (Score:2)
The long and the short of it is: Windows is much more trouble to use than the others, so it keeps you in a job. You don't happen to have any tobacco farmers in your ancestry?
Re:Flamebait? Oh, well... click... whoosh! (-: (Score:1)
Re:Flamebait? Oh, well... click... whoosh! (-: (Score:2)
The illusion is NOT enough! (Score:5, Insightful)
Perhaps I am missing something, but it sounds like a really bad idea. It's of course technically possible to bridge the LDAP between two domains (or forests for that matter), but without more knowledge of the portals LDAP requirements -- and with full knowledge that in a subdomain your additional security is a façade anyway, I wouldn't bother.
Just my 2 cents.
AD OUs and Domains (Score:3, Informative)
You want to be part of their domain (Score:2)
It solved a lot of problems (users coming to our labs, our users going to other departments) and wound up being worth the hassle.
You will find cases where having a group-wide tree is more useful t
Re:You want to be part of their domain (Score:2, Interesting)
I had same concerns, too. (Score:2, Informative)
AD Design (Score:2, Informative)
All DC's in a domain have an exact copy of the AD structure and it needs to be replicated fairly often for the domain to function correctly. We decided to make a child domain overseas becau
Forests and Trees (Score:4, Informative)
Why this solution is Ideal...
1. You still own your domain, and have complete control as you always have.
2. The larger entity, also has control since they are higher up, any thing at their level can flow down to you as an integrated entity, if need be...
3. An OU's purpose is not to for containing entire subdivions of a company as your relationship seems to be...an OU is just that Organizational Unit...so you divide your domain up into the company departments with them....
4. This will become especially important for using SMS if you folks desire...particularly if you impliment SMS 2003, or whatever the next version beyond 2.0 ends up getting called since its heavily AD oriented...
Only other questions, e-mail me, we have been down all these roads here, and can probably provide insights if you wish...
Stay away from Child (Score:2)
Geographic vs. Logical (Score:3, Informative)
However, if you need different password policies, you need your own domain.
why another domain (Score:2)
- Need to have different password policies (these are only configurable at the domain level).
- Replication issues that cannot be handled through the site topology.
You don't really talk about what is being put in this OU, is it your users' accounts,