Re: Active Domain Architecture in an Academic Environment

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

There are a very few things that you'd need a separate forest for per se. 
It doesn't mean it would be the wrong choice, but you have a lot of means
of managing security, roles and groups within a simpler design that may
more than suffice.    I'd say, generally simpler is better to start with. 
You can always add complexity later, but it's very difficult to relieve
yourself of complexity once you are built on it.  You could consider
everything from multiple forests, to a single forest with multiple
domains, to single-domain multiple OUs, groups, etc.  A lot depends upon
1) your desired security model 2) Your desired user and resource
management model  3) your system management resources and expertise 4) In
some cases geographic and perhaps even political dispersion of your
organization.  

 There are not many things that at most a single forest, mulit-domain
model will not suit for on the more complicated end for an organization
that's largely a coherent entity.  In many cases a single forest, single
domain will accomplish what you require via other means of management
below the domain itself.  (OUs, etc.).  From a high level I'd start with
the single forest and and single or multiple domains and prove why any of
those models won't work first.

D/C
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> In preparation for a migration from Novell, we are in the process of
> designing a new Active Directory domain structure.  Right now we have
> separate administrative (faculty and staff) and academic (classrooms and
> students) networks.  We are debating whether to have a single forest
> encompassing both networks (users and workstations) or a two-forest
> architecture with the functions split.  We would like to hear what other
> colleges have done.  Did you elect to implement one or two forests?  Why
> did you choose that solution?  In retrospect, was that the correct
> solution?  If not, why not?  Any information would be a great help. 
> Thanks.
>
> Patrick J. Feehan JD, CIPP
> Director of IT Privacy & Cybersecurity Compliance
> Montgomery College
> (240) 567-3087
> patrick.feehan () montgomerycollege edu