| Author |
Active Directory Forest
|
|
| williamfutrell 2002-10-23, 1:31 pm |
| Is it possible to implement multiple forest under one contiguous namespace?
I think it is, but all books and websites refer to forests only in a disjoint namespace.
Thanks
william | |
| maxmax79 2002-10-23, 2:28 pm |
| Each tree in the forest will have its on disjointed name space. So you can't have "continous" name space for one forest, let alone multiple forests. | |
| williamfutrell 2002-10-23, 6:38 pm |
| Namespace is under DNS, seems like AD wouldn't care as long as DNS admin delagated authority for zones.
Example:
school.edu (bind guys here)
chem.school.edu
phys.school.edu
eng.school.edu
If physics dept wants there own forest, for security reasons, Could they not create ther own forest in the same contiguous namespace. Dcpromo gives this option when the server's DNS zone has been delegated.
I seem to be stuck on ths idea.
Thanks in advance
william | |
| neuralfx 2002-10-24, 5:52 am |
| Well, when you install it yes it gives you that option because the Wizard doesn't know if the tree already exists or not. You could definitely install it that way, it's not designed to be that way. It might work, as I'm not sure of what the exact problem you would have is. Why not just make a seperate domain under the same namespace?
-neural | |
| williamfutrell 2002-10-24, 8:22 am |
| The reason for a seperate forest under one namespace, so one dept, such as phys, can have their own Schema FOMR. I would like to know if the phys dept can have their own security boundry withen the schools namespace.
Also it seems that everyone thiks of forests as multiple disjoint namespace, but the first domain tree created is by default in its own forest. By deff a forest is a grouping of ONE or more independent domain trees.
Thanks for your reply
william | |
| maxmax79 2002-10-24, 8:34 am |
| A domain is a security boundry if you set up a root doamin of
school.edu
and then set up the child domains
chem.school.edu
phys.school.edu
eng.school.edu
Each one of the child domains as well as root doamin would be a security boundry. Each one would have its own secruity polciy for passwords, etc.. Schema on the other hand is forest wide so all of these doamins would share the same schema. This setup would be a tree and a forest. If you wanted to add another tree to the forest it would have to have disjointed namspace.
Hope this makes sense | |
| williamfutrell 2002-10-24, 9:09 am |
| With no transistive trusts and a seperate schema, it seems like a forest is a security boundry. | |
| maxmax79 2002-10-24, 9:46 am |
| That is true that a forest would be a security boundry, but in addition each domain is also a security boundry. Security policies are only in affect at the domain level not the forest level. You would have to have different security policies for each domain in your forest even though they have a common schema. | |
| williamfutrell 2002-10-24, 10:13 am |
| So getting back to my q, Colud I create a new forest root for the phy.school.edu domain? I could delagate the zone and start my forest root here, so why not two forest roots?
This will limit me to a single tree withen the phys dep, but that should work.
thanks | |
| cm2gj 2002-10-24, 11:52 am |
| quote:
Originally posted by maxmax79
Each tree in the forest will have its on disjointed name space. So you can't have "continous" name space for one forest, let alone multiple forests.
agree.
in a forest the trees make this job. | |
| jeff_j_black 2002-10-24, 11:11 pm |
| I think the best answer to this question is to do it then tell us how/if it works the way you want it to | |
| williamfutrell 2002-10-25, 3:19 pm |
| Trial and error is prob the best ans. I will implement this in a the lab to see if its possible.
There could be unknowns down the road, this is my main concern.
thanks for the help!
william | |
| jeff_j_black 2002-10-25, 3:32 pm |
| I think it can be done to a degree, I just don't know if it will serve your required or desired results. If you wanted any access between the two forests you'd have to establesh external trusts and such. I wish I could dedicate that much time to this in my lab, but so many other questions I am working on... | |
| williamfutrell 2002-10-25, 4:32 pm |
| Yea, I Know what you mean, to many questions to little time.
Sometimes you must think outside the box in order to gain a global understanding. Often know one wants to challange what they read, only memorize a bunch of facts. Learn by understanding not by memory.
william | |
| jeff_j_black 2002-10-25, 9:09 pm |
| Well I like that you are going against the grain of the basic text book definitions. I think it will work as long as the forest roots don't have the same DNS suffix. Like forest one would be forestone.com, with child domains test1.forestone.com, test2.forestone.com and test3.forestone.com. The root for forest two would be test4.forestone.com. I think that's what your getting at, if I understand it correctly. Keep up the good work! | |
| williamfutrell 2002-10-26, 3:13 pm |
| Yea thats what I would like to implement. The second forest root would not be very scalable, but would give that dept there own forest, therefore schema control.
thanks for your help!
william | |
| dwatts 2002-10-28, 8:18 am |
| I read through this, but I’m not sure I understand the answers. So I thought I’d give it a shot.
Firstly, things get easy when you stick to common terminology and common definitions. A forest exists, and domains and trees exist within a forest. A forest cannot include another forest. By definition, a forest is a single entity.
Therefore:
“Is it possible to implement multiple forest under one contiguous namespace?”
No.
“Each tree in the forest will have its on disjointed name space.”
Not true – since they all lead back to a common root.
“school.edu (bind guys here)
chem.school.edu
phys.school.edu
eng.school.edu
If physics dept wants there own forest, for security reasons, Could they not create ther own forest in the same contiguous namespace.”
The root here is EDU. Even though the namespace “appears” to be non-contiguous – the fact is, they ARE, in that they have the same root.
Now – the Physics department could indeed create their own forest with “phys.school.edu” as the name. Since this data is stored in a DNS zone of its own, this would only be a problem if you tried to store these records in the same zone file as another forest of the same name. In this instance, in the EDU root.
Put another way. I could install a forest called EDU on one machine. And then create a tree with the name: dwatts.edu beneath it.
I could then go to another machine and install a NEW root, called EDU. And then create a tree beneath it called dwatts.edu. As long as I did not try to put both of the on the Internet – this would work.
However, when we say “put the them on the Internet” – what we are really doing is trying to store references to domains of the same name in a common root DNS server. That is what causes the issue – at that level they cannot both exist. On separate corporate LANS without net access, things would be fine.
“The reason for a seperate forest under one namespace, so one dept, such as phys, can have their own Schema FOMR. I would like to know if the phys dept can have their own security boundry withen the schools namespace.”
Yes, this can be done. You would simply create a trust between forests. It might cause issues though – Global Catalogs are not shared between forests, so searching is a pain in the rear.
“With no transistive trusts and a seperate schema, it seems like a forest is a security boundry.”
User accounts and security objects do not exist at the forest level. They only exist at the domain level. Therefore, we say a domain is a security boundary.
“Colud I create a new forest root for the phy.school.edu domain? I could delagate the zone and start my forest root here, so why not two forest roots?”
Yes – you could create a new forest root for phy.school.edu. However, delegating is unnecessary, since it is an entirely new forest and would have no connection at all with the DNS servers or user accounts in the first forest.
Don’t forget – DNS namespace and the AD namespace are actually different things. DNS only does name resolution – nothing else. While AD uses the same namespace (because it needs scalable name resolution) the connection between the two (DNS and AD) begins and ends there.
I doubt this helps –LOL-- | |
| Pavlov 2002-10-28, 9:02 am |
| dwatts - Excellent summation. I found your post to be very helpful and right on.  | |
| williamfutrell 2002-10-28, 11:33 am |
| Dwatts
Thanks for the explanation, it helped alot! Thats the kind of braindumps I like to read.
william | |
| jeff_j_black 2002-10-28, 5:19 pm |
| Dang!!! That was everything I wanted to say, but could not find the words!!! | |
| dwatts 2002-10-29, 7:47 am |
| Thanks guys.
Oh yeah, I can talk --LOL-- |
|
|
|