Active Directory - Organizational Units or Discrete Domains?

flosofl asks: "I work for a large (1,000+ emp.) company and will be in charge of its Active Directory implementation. Our company is in turn owned by a much larger corporation (15,000+ emp.), but we are for the most part autonomous in terms of managing our internal IT dept. Since the larger corporation has ADS in place, they want us to roll in as an OU in their domain (xxx.com). I want to be a child domain (yyy.xxx.com). The SAP portal relies on LDAP and we are told it would not work correctly with a multi-domain model. I on the other hand want total control over MY domain (yes, I know as a parent domain they could do what they want - the illusion is enough). My question is, has anyone been in this type of situation before? How did you resolve it, and did it work? I am worried I am reacting more from a 'you can't play with my toys' than a legitimate tech/business reason. I want to use the method that will work best (which may not be the one I want). Any comments would be appreciated."

Re:Future proofing

[sohp]

Or at least let them know that domain-component directory hierarchies are stupid++. And don't stop with LDAP, go with X.500 as your core directory service system and hang an LDAP front end on it for clients that need it. It's a damn shame MSFT embraced and extended directory services (along with Kerberos), having had no interest or input in to naming schema until it was time to extend their monopoly. Never mind years of work that was already in place, obviously MSFT ActiveDirectory was so important and ground-breaking it had to have it's own namespace.

Re:You want to be part of their domain

[Finni]

AD doesn't allow for the same kind of delegation that NDS does. In NDS, the root admin can actually make a portion of the tree that he has no rights to, can't get back, and possibly not even see. Under AD, the top-level admins can ALWAYS somehow take ownership.