Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Best Practice Active Directory Structure/Design
Best Practice Active Directory Structure/Design [message #162117] Thu, 15 October 2009 05:33 Go to next message
Tal  is currently offline Tal  Israel
Messages: 11
Registered: September 2009
Junior Member
Hello,

We are in our organization discussing different architectures for Active
Directory.

our organization has about 65 sites and across country

i am wondering what would be the best solution, 1 domain for all the sites
or one domain per site.

Could you help us in this investigation?

What are the pros and cons of both solutions in this area?

Thanks in advance
Re: Best Practice Active Directory Structure/Design [message #162118 is a reply to message #162117] Thu, 15 October 2009 05:40 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Tal Bar-Or,

If you don't have a need for a real security boundary, which requires a separate
forest, i would use a single forest domain with one, better 2, DC/DNS/GC
in each site and create OUs for each site with the user/computer accounts.
This way you can delegate administration to site admins without making them
domain admin also.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> We are in our organization discussing different architectures for
> Active Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>
Re: Best Practice Active Directory Structure/Design [message #162122 is a reply to message #162117] Thu, 15 October 2009 08:54 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"Tal Bar-Or" <tal_baror@hotmail.com> wrote in message
news:u3eYXsYTKHA.5052@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> We are in our organization discussing different architectures for Active
> Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>

As noted, one domain makes sense, unless security policy requirements
dictate more (but certainly not 65). The bigger question is how to design
your OU's. An obvious solution is one OU per site. Each OU can have separate
group policy. Another option would be OU's for organization functions, like
sales or engineering or accounting. You can still have 65 Site objects in
AD. Group policies can also be applied to sites. In general, it is best to
minimize the number of domains.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: Best Practice Active Directory Structure/Design [message #162128 is a reply to message #162118] Thu, 15 October 2009 15:39 Go to previous messageGo to next message
Tal  is currently offline Tal  Israel
Messages: 11
Registered: September 2009
Junior Member
Thanks :-)
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d795f8cc1bb42aa70704@msnews.microsoft.com...
> Hello Tal Bar-Or,
>
> If you don't have a need for a real security boundary, which requires a
> separate forest, i would use a single forest domain with one, better 2,
> DC/DNS/GC in each site and create OUs for each site with the user/computer
> accounts. This way you can delegate administration to site admins without
> making them domain admin also.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello,
>>
>> We are in our organization discussing different architectures for
>> Active Directory.
>>
>> our organization has about 65 sites and across country
>>
>> i am wondering what would be the best solution, 1 domain for all the
>> sites or one domain per site.
>>
>> Could you help us in this investigation?
>>
>> What are the pros and cons of both solutions in this area?
>>
>> Thanks in advance
>>
>
>
Re: Best Practice Active Directory Structure/Design [message #162130 is a reply to message #162117] Thu, 15 October 2009 16:19 Go to previous message
Jorge Silva  is currently offline Jorge Silva  Portugal
Messages: 398
Registered: July 2009
Senior Member
Hi
There's no "one solution fits all".
As others said, by general rule 1 Domain/Forest should be enough to perform
the job, but there're ather things to consider, OU Design model, Sites
Model, GPO, Management, Patching, Security, etc...

Before decide anything, you should read some documents that MS has for
Active Directory Deployment/Design
You can start here
Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/library/bb727085.aspx
Planning an Active Directory Deployment
http://technet.microsoft.com/en-us/library/cc756178(WS.10).aspx

--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.



"Tal Bar-Or" <tal_baror@hotmail.com> wrote in message
news:u3eYXsYTKHA.5052@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> We are in our organization discussing different architectures for Active
> Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>
>
Previous Topic:Firewall Ports
Next Topic:Get prompted for username and password on PC in another forest/domain
Goto Forum:
  


Current Time: Thu Jan 18 20:47:29 MST 2018

Total time taken to generate the page: 0.04428 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software