Parent-child domain concept RRS feed

  • General discussion

  • Hi,

    What are the benefits of having Multiple domain in a forest ( Parent - childs model)?

    I would like to know what are the benefits apart from

    1. Regional wise administration

    2. You can have diff' security policies ( like password policies etc., )




    Arun prasad O S
    Thursday, January 6, 2011 4:49 AM

All replies

  • In 2008 you can have granular password policies so the policy thing doesnt apply anymore. If delegation is used religiously and not default built admin groups then having a single domain is ideal. Your constraint would be security (not for parent-child but multiple forests with a resources forest for different apps), name branding, and if you were a really big shop limitations (although with 08 that's harder to hit) of the number of items for certain things and possibly your replication traffic due to the number of DCs in the environment.
    Chris Morgan
    Thursday, January 6, 2011 5:24 AM
  • Here is an old thread.  Refer to Marcin’s and Menolf’s comments J


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs -
    Articles -
    Twitter: @santhosh_sivara -

    This posting is provided AS IS with no warranties, and confers no rights.
    Thursday, January 6, 2011 5:26 AM
  • Separate business from one domain user to another, control replication traffic etc.

    Child domain user can't login to parent domain & services related to forest wide can only be modified by enterprise admin,even domain admin can't make any changes to parent or forest wide.

    Security is more, by keeping critical role on parent domain like schema master & domain naming master.

    Parent-Child domain is basically used in scenario where one business unit has to be segregated from other & control the replication traffic arise during replication of changes.

    But managing parent & child domain requires deep knowledge as you have to use various group like domain local,global,universal to assign permission etc.


    Awinish Vishwakarma | TA - DS/Exchange
    Thursday, January 6, 2011 8:38 AM
  • Hello,

    i can't see any benefit at the moment. Even the regional administration can be handled with OU delegation for the required people doing administrative tasks.

    As also said with Fine grained password policies you can use also different passsword/account lockout settings for security groups or users.

    To find a benefit for you, please describe more details about the domain you have to plan. Maybe it contains a major point that requires a parent-child solution.

    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, January 6, 2011 10:51 AM
  • It's a fairly well established consensus that different domains in a forest don't constitute security boundaries - so separating administrative privileges is hardly a reason to create multiple domains in the same forest (if you want to accomplish meaningful separation from the administrative standpoint, you would need to create separate forests).

    The same applies to different password policies - as Meinolf, Awinish, Chris, and Santhosh have stated.

    One possible reason for introducing multiple domains is minimizing volume of replication traffic at locations with very limited/unreliable bandwidth - although even this argument is tenuous because it relies on the assumption that these locations will not have Global Catalogs present (and typically this is not a realistic expectation)


    Thursday, January 6, 2011 12:02 PM
  • Agree with guys, lot of consideration regarding managebility & investment has to be given thought,becasue creating multiple domain is not big deal,but smooth running of services & easy to sort out issue during hiccup, should be considered as the way for good design.



    Awinish Vishwakarma | TA - DS/Exchange
    Thursday, January 6, 2011 12:22 PM
  • The big difference I see is the security boundary is by forest, not by the domain.  So you will have a more secure setup (You can't include forest trusts then) as long as you keep the two forests seperate from one another. 

    The schema can also be different, you can't do that if you have two domains in one forest. 

    You can have two Exchange forests if you have two different AD forests, you can only have one Exchange forest per AD forest.

    You can have different passsword policies, but with 2008 and third party apps this is no longer true (FGPP).


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 6, 2011 1:03 PM