Active Directory - Organizational Units or Discrete Domains?

flosofl asks: "I work for a large (1,000+ emp.) company and will be in charge of its Active Directory implementation. Our company is in turn owned by a much larger corporation (15,000+ emp.), but we are for the most part autonomous in terms of managing our internal IT dept. Since the larger corporation has ADS in place, they want us to roll in as an OU in their domain (xxx.com). I want to be a child domain (yyy.xxx.com). The SAP portal relies on LDAP and we are told it would not work correctly with a multi-domain model. I on the other hand want total control over MY domain (yes, I know as a parent domain they could do what they want - the illusion is enough). My question is, has anyone been in this type of situation before? How did you resolve it, and did it work? I am worried I am reacting more from a 'you can't play with my toys' than a legitimate tech/business reason. I want to use the method that will work best (which may not be the one I want). Any comments would be appreciated."

AD OUs and Domains

[sarob]

You would only really need another domain if the namespace needed to be different and/or you needed to upgrade in place a legacy domain without merging it with the parent domain. You could gain control over your OU and reset the ACLs on the OU so that only your OU administrators had access. Some things like domain admins, enterprise admins, and schema admins you would not have control over. To be honest, if you are not familar with Active Directory then hand the responsiblity of maintaining the domain controllers and the active directory databases over to a central group that will be focus on that task. Maintaining Active Directory is more like Exchange or SQL database management.

Forests and Trees

[haplo21112]

I would go the route of being a tree(or as you put it subdomain) within their active directory forest. If they built their AD correctly in the first place it should be a snap to make your NT Domain part of their forest. In fact its even easier now with the release of Server 2003, if makes the whole relationship much more robust, and allows established domains to easily join the forest....

Why this solution is Ideal...
1. You still own your domain, and have complete control as you always have.
2. The larger entity, also has control since they are higher up, any thing at their level can flow down to you as an integrated entity, if need be...
3. An OU's purpose is not to for containing entire subdivions of a company as your relationship seems to be...an OU is just that Organizational Unit...so you divide your domain up into the company departments with them....
4. This will become especially important for using SMS if you folks desire...particularly if you impliment SMS 2003, or whatever the next version beyond 2.0 ends up getting called since its heavily AD oriented...

Only other questions, e-mail me, we have been down all these roads here, and can probably provide insights if you wish...