No announcement yet.

Single forest, one domain, multiple sub-domains

  • Filter
  • Time
  • Show
Clear All
new posts

  • Single forest, one domain, multiple sub-domains

    All DC's are 2003 server
    Model :Single forest, one domain, multiple sub-domains

    We are planning on switchting to this model.
    Who know or has experience in these questions ?

    1) Can you deploy group policy at the domain level, or do you have to manually deploy them on all sub-domains?

    2) How easy can you share files and printers between sub-domains? (in comparison to the one-domain model?)

    Thank you guys !


  • #2

    It really depends on your locations, do you have multiple offices?

    How many people in each office?

    Does a CLASS C network (less than 253 servers and computers work? )

    Will your infrastructure be connected be private through your ISP?

    The easiest solution most of the time is one forest, one domain and everyone in there, all dc's talk to each in one.

    You can set up site's in it for slow links to help logging on time.


    • #3
      Group policy can be deployed at the domain level or the sub-domain level or for just an OU. All that depends on your needs. We have a group policy just for our 4 Citrix Servers. It just depends on how much control you need over what resources.

      As long as your domains are subs, there shouldn't be much problem at all sharing folders and printers.


      • #4

        we have 8 offices (100 people/office) (8 different countries)
        Connected with 128 or 256k WAN lines (MCI)
        All Class C subnets

        How easy is it to delete a "office" from the one domain model ?
        We just have to delete the two DC's and the connected sites?

        Do you have an idea how big the act.dir. traffic will be ?
        (because our limited WAN connections)

        In the one domain model, I know you can delegate tasks. (users, computers, printers ..)

        But is it also possible to let a user create printers, or let a user install programs on a server? (maybe local admin rights?)

        I hope you have experience in these matters because my knowledge is pure theoretically.

        thank you !!



        • #5
          Couple answers and more questions

          I can try and answer this:

          1 - Let's say you are in one office with x.x.x.133 subnet and you go to ping x.x.x.55 does the ping work out correctly? Document the TTL between your office to other offices. Speed up and speed down are usually different and some tests may help determine your ability to analyse badwidth usage. As in :

          1) how much for email
          2) how much for documents
          3) how much info in one office is accessed across offices so saving huge documents may make time

          I went off on a tangent there but it relates to your AD traffic, if your AD is only modified with less than 30 changes a day I would suspect that you would be ok???

          Deleting an office from AD - > As in you are deleting an OU which houses ad objects which reference an office ? Easy....?? Seems so.

          Running dcpromo on the dc's to remove them, then wait a bit for network to normalize.

          Make a plan , document it out, try and find tests to conclude that each step has worked.

          There is a tool to show the dc's in an organization ( a dos command ).. I'd have to look it , if you've removed it correctly then it won't show.

          Remember the big reason for a DC in each office is because of slow LINKS, seperate site's' must be setup within SITES icon so you aren't authentication across the world. ??

          In one whole domain it makes it easier.

          3. Load terminal services ( REMOTE ) on each server and have you access it remotely for most functions.

          Client COMPUTERS should not have ADMIN privledges if you can do it. APPLICATION documentation and testing will help you find out whether POWER USERS will work!! Try and do that , less control for users the better.

          power users can add printers I believe, making TCPIP ports to print to HP printers may need ADMIN..

          Test test!

          You can share files between domains, you have establish trust in a win2k3 environment if you have 2 forests.

          But from domain to domain in one forest just make a nice security group in each domain etc, and assign to the share.

          I hope I said that right.

          If there is only one of you then try one domain model. If more then try multiple domains within in one forest.

          Ok Help I helped.


          • #6
            Thank you joejiz

            I'll have a look at it