Announcement

Collapse
No announcement yet.

AD Forest with Child Domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Forest with Child Domains

    Hi Everyone,

    I am just on the path to see if anyone has had to perform the following AD structure and if so what would your recommendations be on the best route to follow:

    Active Directory 2003, Domain Functional Level at 2003.

    I have a Data Centre that will have the main AD hosted here. I then have LSN sites that will have a sub-division of the Main AD and then each of the schools that connect to their respective LSN's will also have a sub-division of AD.

    So I am looking at a 3 tier level AD being (PRIMARY AD) Microsoft.com, (SECONDARY) LSN1.microsoft.com, (THIRD LEVEL) School1.lsn1.microsoft.com .

    I take it each site will require a DNS server? Is it possible to have a linux box resolving DNS instead?

    Is there anything that I will need to watch out for?

    Thanks in Advance

  • #2
    Re: AD Forest with Child Domains

    Will each site require a DNS server? No. The will each require a DNS zone. But for performance & best practice they should each have a DNS server. You could do it all with a single DNS server hosting the zones, but if you're going to have domain controllers, why not just make them DNS servers hosting AD integrated zones?

    Regarding Linux as a DNS server, it can be done, but requires a minimum version of BIND (don't recall which, check MS documentation). Specifically it will need to support dynamic DNS updates and SRV resource records. Again, you may find it simpler to use the DCs as DNS servers.
    blog.techscrawl.com

    Comment


    • #3
      Re: AD Forest with Child Domains

      Is there any way of viewing your Hierarchy of your domains and child domains in one MMC console?

      I have about 2500 schools that will each have a global catlogue server on site hosting the schools.microsoft.com domain.

      So my questions would be:

      1) Is there a limitation to as how many domain controllers I can have in each domain?
      2) Is there a limitation on how many replicating site connectors you have to each up stream AD?
      3) Can you replicate only the OU that you are utilising in that specific school?

      So many question I know. But I am just trying to find the most efficient and optimal way to get this AD up and running.

      Petri users have always been serious help in my past endevours

      Comment


      • #4
        Re: AD Forest with Child Domains

        I'll try to answer your questions:

        * Is there any way of viewing your Hierarchy of your domains and child domains in one MMC console?

        Yes, use the Active Directory Domains and Trusts MMC.

        * Is there a limitation to as how many domain controllers I can have in each domain?

        Microsoft recommends no more than 1200 DCs per domain in order to keep SYSVOL replication healthy. I've never heard of a production domain actually using this many DCs. If you plan on having more than 800 DCs in a domain, review this KB: http://support.microsoft.com/default...b;EN-US;267855

        * Is there a limitation on how many replicating site connectors you have to each up stream AD?

        I'm not 100% sure I understand what you're asking here, but when it comes to both inter-site & intra-site replication, the recommendation is to let connections be made automatically by the KCC service, based on the information you supply when setting up Sites and Subnets. In my experience, doing this manually is asking for trouble unless you have a good reason to do so.

        * Can you replicate only the OU that you are utilising in that specific school?

        No, not with 2003 Active Directory anyway. The most granular you can be with replication is in terms of naming contexts. OU's are in the Domain Naming Context, which is replicated, all or nothing. Server 2008 has an option for a read only domain controller that allows a little more control over what is replicated, but this is more in terms of account passwords.

        Hope that helps.

        Clay
        blog.techscrawl.com

        Comment


        • #5
          Re: AD Forest with Child Domains

          ClayShek thank you for your rapid repsonse.

          Must be honest Petri is probably the only site that has such enthusiastic users.


          Just to cover over the 1200 DC limitations in a domain.

          Do you think that each child domain that you create is seperate from the First Tier Domain? So in retro-spect. Creating a new sub-domain will allow 1200 DC's in that sub-domain

          If yes to the above then this will also overcome the 2.14 Billion Objects limitation in AD.

          You are going to think I am crazy! But I have a DC where I am running our main AD. I then have approx 200 LSN's and then 2500 Schools. Each school requires a DC for Authentication. So I am already limited to 1200 leaving me with 1300 schools that cannot run a DC.

          My thought pattern is to create multiple child-domains to the Main AD to overcome the limitations. So split the schools into batches of 400-600 perhaps.

          This is going to be the biggest AD infra-structure in S.A. that I know about. Over 3 million users. So I am sure you can see my dilemma and concerns :P

          Time for a drink

          Comment

          Working...
          X