Don't forget about Exchange 2000 in Active Directory design, part 2

Find out why Exchange 2000 design plays an important role in creating the best Active Directory model.

Think long and hard about the best Active Directory model for your organization. Do that, however, BEFORE deploying AD and Exchange 2000, said AD expert Ratmir Timashev. Changing your AD model a few months down the road can be tedious and time consuming.

Timashev concludes this series of articles on AD multi forest design by examining how to best set up multi forest environments and the messaging systems that go with them. In part one, he explained the problems administrators might have with a multi forest AD design in Exchange 2000. Timashev is president and CEO of Powell, OH-based Aelita Software.

SWM: What kinds of companies are most likely to setup a multi-forest environment?
Timashev:

Some companies, such as financial services, insurance, healthcare and government services organizations, may need to isolate parts of their directories to meet legal requirements or to comply with business practices. For them, it will be a necessary business expense.

SWM: How can administrators, then, set up a multi forest environment and its messaging system?
Timashev:

They should start with their AD design. First, they have to decide how to split their directories into several forests. Decentralized IT departments within a large corporation might consider separate forests to meet their individual IT needs. In addition, the most sensitive parts of the network --corporate, accounting, finance, R&D, etc. -- might be placed in a separate forest to guarantee the highest level of isolation and access control. To give users access to data in other forests, administrators create trust relationships between domains in the forests and use SID filtering, which is a mechanism that prevents the "Domain Trust" vulnerability from occurring between forests. This is a safe inter-forest collaboration setup.

Our Web site also has a free white paper on why SIDHistory is a security threat for those who would like more information. (www.aelita.com/adsecurity)

SWM: And the messaging system?
Timashev:

When you split the directory into several forests the main question you would have is whether the messaging system should be split too. In MF/SO you have a single Exchange organization shared by users from all the forests. In MF/MO each forest has an Exchange organization of its own. Having a single Exchange organization would allow for easier messaging system administration, as user collaboration and data replication is handled by native Exchange mechanisms.

However, multiple Exchange organizations are safer and easier to administer because administrators from each forest have their own Exchange organization. Another advantage is that this configuration does not require synchronization between the "account" forests and the "Exchange resource" forest. Unfortunately, in this case, data replication and user collaboration will be affected.

SWM: Which AD/Exchange design is best?
Timashev:

There is no "one size fits all" solution. Each organization must balance their administration and collaboration needs. However, I would expect smaller companies with a limited number of administrators to be more likely to select the single forest/single organization design. Larger organizations or organizations within certain vertical markets with unique isolation requirements are more likely to go multi forest.

Either way, enterprises need to consider the issues carefully before they make a decision. This is one of the most important steps in AD deployment. Changing the model when AD has already been deployed can be extremely painful. Each company should weigh the pros and cons of each model and decide which fits them best.

FOR MORE INFORMATION

Go back to part one.

Single forest vs. multi-forest Active Directory design

Top 10 Exchange management headaches

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close