I am spear heading a project where we are moving from communigate to Exchange 2010. We have multiple business units each with its own email domain and stand alone AD. Our goal is to consolidate to a centralized AD while deploying Exchange. Each of the business units operates in a different market space and we are operating under the guidelines that users will only be able to browse AD objects of their business unit. We need to effectively block the users from browsing or exploring the other business units. Here are the different scenarios we’ve been looking into (I am looking for feedback from users who have worked in these different environments): Single forest single domain Pro’s- ease of management and account provisioning Con’s – Setting up permissions in AD to prevent business units from seeing each other is problematic at best. The one work around I found was frowned upon in other MS boards http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/b9b1c1ee-408b-4db0-8b9e-6102497039a6 Difficult to customize OWA experience. Single forest multiple domain non hosted exchange **Disclaimer I have a background working with Exchange 2003 and 2007 in a single forest single domain model only. This is new ground and my only exposure is what I have read. From what I have read it should be possible to have a single forest and multiple domains. Host Exchange in the root domain for the different domains? Which is the better path to take? Discontiguous name space with separate domain trees in the forest (BusinesUnit1.com, businessUnit2.com, etc). Or have a contiguous forest where the domains are hierarchical, then set up UPN suffixes for the desired friendly user-logon name. Multiple forests with dedicated Exchange forest http://technet.microsoft.com/en-us/library/aa997312(EXCHG.65).aspx While this model would work it’s seems like a bit overkill when each business unit has roughly 20-50 staff members. Plus the cost is a bit prohibitive. Account provisioning seems like it would take a bit more administrative time. If anyone has real world experience with this sort of set up I would to hear what your impression of this design is. Fred Sawyer MCP

From exchange perspective, I think you can create different E-mail Address Policies for different business units. And GAL Segmentation can create "'virtual' organizations, with users only able to see the users they need to see” James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

1. If the business wants to isolate secuirty principals, then they really need to have their own forest for each business unit. However, I think this is an overkill as you only have 25-30 in each unit. I think you should read up on AD and understand the differences between forest and OU. As I think you can achieve this by using OU's for each business unti. 2. From an Exchange view, as James has suggested you can use GAL segmenation and Email address policies. Sukh

Sukh, Thank you for the feed back. I have a pretty strong understanding between a forest at a OU. I originally tried to shoot for single forest single domain top level OU for each business unit that contained all appropriate AD objects for that business unit. The one catch I can't find a work around for is blocking users from being able to freely browse AD objects of other business units. My boss specifically said we need to accomplish this. If a user creates a folder goes to properties, security, add, advanced, find now they end up with a list of all AD objects including other business units that should be restricted. I have played around with AD ACL's and tried to use Active Administrator to prevent the browsing ability to no luck. An implicit deny ACL for a security group doesn't seem to block the browsing feature. Almost like its the computers account that does the browsing and not the users. As mentioned earlier removing "authenticated users" list and read rights seems to take care of the issue. In another forum it was said this would lead to negative repercussions at some point. Do you know of any way to prevent the users ability to browse objects on other business units OU's? I also agree separate forests seems like a bit of overkill in cost and management for the small amount of users we have. That's why I have been building test labs to test single forest multiple domains. I am trying separate domain trees as well and the child domain models to see if it's possible to set the trusts up as one way from the root to the sub domains. Hopefully removing a users ability to browse other business unit's AD objects. Please share any recommendations as I am willing to try them in my test lab. Thanks for the support, Fred Sawyer MCP

Hi. 1. This forum is really for Exchang and not AD. You will benefit from posting in the AD forum. There wii be more resources around AD there than here. I'll can post in that forum. Thanks Sukh

Quote: “Do you know of any way to prevent the users ability to browse objects on other business units OU's?” Please check if the Delegate control works for you, which should be able to remove one unit’s Read permission from other unit OU. As I’m not the expert on the AD field, please consult in platform forum about this browsing restriction function as Sukh said Resources: Delegate Control of an Organizational UnitPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.