Announcement

Collapse
No announcement yet.

AD Design suggestions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Design suggestions

    I'm redesigning our current AD structure (multiple forests/SBS's) and I'm torn on the design.

    We've got 5 sites in three countries, as I see it, the sensible options are

    One domain with OU's for each site
    Three child domains (one per country) with an OU per site in each country that has more than one
    Five child domains, one per site

    We've not got a huge amount of users, probably 50 per site so I don't think replication traffic is going to be a major problem and we've got a full time admin per country.

    I can see pros/cons for each design but I'm a bit torn on the final design. A single domain seems very tempting as it's by a way the simplest to administer, but I do like the idea of seperating it out or is there an even nicer way I've overlooked?

    Anyone got any experience of doing this or suggestions?

    TIA

  • #2
    Re: AD Design suggestions

    I did not really understand how come you need so many domains for so little amount of users.

    who is going to maintain all those domains? are you going to? then why not just sticking with one?

    you going to have Domain Admins personals on every site/domain to maintain it..?
    to be honest I don't even see a reason why you should have multiple domains if it's not coming from politics in your companie's managements.
    Think about it , many domains meaning not everything is replicating between each other , then you have to establish trusts and make sure everything is working correctly and making sure DNS are replicated/forwarded between each other's domains,etc. maintaining it is a headache.

    if it's not for company internal politics that it has to be separated, I would say don't even bother with more then one domain , stick with a single domain, I see no advantage on having more then one domain just b/c it is in a remote site...Unless you got really shitty & unreliable WAN lines like in Africa or something like that , then it makes sense having separation by Domains.

    I would say go for one Domain, OU's based on sites and "Sites & Site-Links", give the Admins on sight full control over their OU and you stick with keeping the Domain in one piece.

    I got 1 domain with nearly 20,000 Users and over 20 sites and I still think that the 1 domain configuration is the best for us.
    every time we buy a company we migrate them into our domain , we never ever taking in consideration of having more then one domain, that would kill you afterward maintaining then.
    Last edited by Akila; 5th June 2008, 17:55.

    Comment


    • #3
      Re: AD Design suggestions

      Microsoft recommenends you strongly justify the need for child domains.

      If you don't need to reduce replication, theres no reason to have multiple domains.

      Comment


      • #4
        Re: AD Design suggestions

        I'm personally now I think in preference of one domain. The reasoning behind the multiple ones really comes down to politics, I suppose, the admins in each country want to be supreme being in their own little section and having their own domain is justification.

        I think I need to rewrite my design plan a little.

        Ta

        Comment


        • #5
          Re: AD Design suggestions

          if i were you , I would do everything in my power staying in one domain.
          Last edited by Akila; 4th June 2008, 20:09.

          Comment


          • #6
            Re: AD Design suggestions

            I'm convinced one domain is correct and I think I've won the argument now.

            I pointed out that I couldn't sensibly assist in any admin on any other child domains if we went that way due to the administration boundaries, this was translated as 'bugger he won't do any of my support tickets' which I think has pretty much won the argument.

            I've also said that if we go with one domain and don't like it, it's easier to make children later, going the other way would be even harder, which translated as 'just think how much trouble your children cause you and how much less grief it was before them and now you can't get rid of them and no-one wants to babysit for you' which I think nailed it!

            Thanks for your opinions, now wheres my admt guide.

            Comment


            • #7
              Re: AD Design suggestions

              Popers , your funny
              I love your approach.
              Why are you looking for the ADMT Guide again? (I missed that part).
              anyway here it is.
              http://www.microsoft.com/downloads/d...displaylang=en
              if you need any assist on Migrating/ADMT , we are all here to help
              Last edited by Akila; 5th June 2008, 17:53.

              Comment


              • #8
                Re: AD Design suggestions

                Domains are not the administrative boundry, the Domain Admin in the forest root domain will have control to everything. If you want to divide administrative boundries you need multple forests.

                Comment


                • #9
                  Re: AD Design suggestions

                  Akila,

                  I need admt to merge the 5 (and counting) forests we've currently got, unless there's
                  a better way?

                  Meekrobe,

                  I'm trying to simplify the current hideous mess of multiple forests that we've got into one nice managable chunk!


                  P

                  Comment


                  • #10
                    Re: AD Design suggestions

                    no problem.
                    stick with the ADMT it will do the job.

                    Comment


                    • #11
                      Re: AD Design suggestions

                      Also, there is no reason you'd need Domain Admins everywhere now is there ? What task is being performed by admins in remote sites that require domain admin access?
                      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                      Comment


                      • #12
                        Re: AD Design suggestions

                        Gepeto,

                        quite right, it actually makes it simpler thinking about it. There are realistically three of us worldwide that it would make sense to have as domain admins as we do share control of the current domains, everything else could be done with delegation of control for the ou's. It makes sense to have at least one extra member of staff per site with that permission so they can do stuff whilst I'm on holiday and 'accidentally' forgotten to take my mobile phone with me, again.

                        P

                        Comment


                        • #13
                          Re: AD Design suggestions

                          Originally posted by poppers View Post
                          Gepeto,

                          quite right, it actually makes it simpler thinking about it. There are realistically three of us worldwide that it would make sense to have as domain admins as we do share control of the current domains, everything else could be done with delegation of control for the ou's. It makes sense to have at least one extra member of staff per site with that permission so they can do stuff whilst I'm on holiday and 'accidentally' forgotten to take my mobile phone with me, again.

                          P
                          that's the spirit , stick with one domain

                          Comment


                          • #14
                            Re: AD Design suggestions

                            I've just discovered, one of the forests we've got is based on SBS. I've got no real experience with it but as far as I know it doesn't handle trusts. From my experience with ADMT it needs trusts in place to migrate objects across, am I stuck?

                            Comment


                            • #15
                              Re: AD Design suggestions

                              to be honest I don't know SBS at all.
                              but I got an idea , but you the one that need to tell me if it's possible.
                              is it possible adding a regular win2003 into the SBS forest as a DC?
                              if so then you add a regular win2003 server as a DC, demote the SBS server from being a DC, then establish a trust and ADMT what you need. it might be that just adding a regular 2003 server as DC without demoting the SBS server would be enough for establishing a trust, but as I told you I know jack shit about SBS.
                              maybe google could help out on how to migrate resources from SBS to a 2003 regular forest.

                              Comment

                              Working...
                              X