Ah, the exciting world of cross-forest dogfood

The Windows group has its own domain (known as NTDEV for historical reasons) which operates separately from the domain forest operated by the Microsoft IT department. Various trust relationships need to be set up between them so that people on the Windows team can connect to resources managed by the Microsoft IT department and vice versa, but it generally works out okay.

There are some glitches, but that's the price of dogfood. What better way to make sure that Windows works well in a cross-forest environment than by putting the entire Windows division in its own domain separate from the rest of the company?

Subject: Newbie domain join question

My user account is in the REDMOND domain. Should I join my machine to the REDMOND domain or the NTDEV domain?

I was much amused by this cynical recommendation:

Subject: RE: Newbie domain join question

It's pretty simple, really.

If you want to have trouble accessing NTDEV resources, then join the REDMOND domain.

If you want to have trouble accessing REDMOND resources, then join the NTDEV domain.

Comments (17)
  1. mvadu says:

    I think people within Microsoft are trying to copy your style of answering Raymond..

  2. Joshua Ganes says:

    I wish that I had something more witty to say about this delightfully witty reply. Even though it seems a bit cynical, I believe that it really does highlight the impact of the choice squarely.

  3. What better way?

    Encourage people to join domains in random fashion.

  4. David Walker says:

    Switch domains every day, so that on even numbered days you are joined to one domain, and on odd-numbered days you are on another….  That should be implemented as a feature of the OS!

  5. Tanveer Badar says:

    Why restrict to one domain at a time in the first place? Run a VM and join that to the other lesser loved domain.

  6. Alex Grigoriev says:

    Why would an user be joining a domain by himself? He should not have privileges for that.

  7. Tim says:

    Alex, if we couldn't add and remove machines to the domain, how would we be expected to test functionality of an operating system we install once or more times a week?

  8. At one place I worked back in the NT4 days, one network admin I worked with (I was the other) liked to put every server in its own domain. Better security of course! I didn't work there very long…

  9. Chris says:

    So its called NTDEV for historical reasons, is that to say its the same domain since NT? upgraded through every version? or has it been recreated?

  10. cheong00 says:

    @Chris: I'd think DC upgrade is a scenario they won't miss for chance of dogfooding.

    I'd suspect they also have built internal tool for schema cleanup.

  11. Nick says:


    By default, Active Directory allows domain users to join up to 10 computers to a domain.



    I'm sure this "feature" surprises quite a few domain administrators (myself included several years ago).

  12. alegr1 says:

    "Alex, if we couldn't add and remove machines to the domain, how would we be expected to test functionality of an operating system we install once or more times a week?"

    Maybe have your own test setups? As far as I heard MS IT is very very anal regarding security. Letting the users screw around with domain computers is not something I would expect there.

  13. cheong00 says:

    @alegr1: Except if these "users" are those who write AD infrastructure?

    It's like when your company's AD have problem, your company's IT will call Microsoft support if they have support quota left. It's not unlikely that when Microsoft IT department encountered problem in AD, they'll call people working on AD infrastructure directly, and have touch on domain level settings in the process.

    I don't know if they really have access or what, but even if they have access, I'd think it's quite understandable.

  14. cheong00 says:

    @alegr1: I agree that they shouldn't meddle with the actual domain they use daily, but testing setup is just a testing setup, it won't get the usage level (read "test coverage") of a domain server you actually use. So I think while maybe they don't do this often, they'd tweak it some time, especially if a new built is made. They have to make sure the basic functions works fine.

  15. cheong00 says:

    I mean new "build" of server.

  16. Worf says:

    @alegr1: That's probably why they have NTDEV as the domain rather than the standard Microsoft IT domain…

  17. Cynical says:

    Cross domain forests have existed for over 10 years. Hopefully this was newbie email from your archives.

Comments are closed.

Skip to main content