Announcement

Collapse
No announcement yet.

AD structure, advice needed.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD structure, advice needed.

    Currently our company is expanding and I am looking into options for the best way to get our remote offices in AD.

    Our current structure
    Forest: nameWI.org
    Domain: nameWI.org

    In the coming months we will be adding a remote office outside of the country. They will have their own IT to provide support. Being the office will be based in a remote location, my thoughts would be they use a Dial-UP VPN connection for AD replication.

    Would it be best to add this other office as a Child domain? Or should I create a new tree for this domain? I am thinking the child domain is the route to take, but wanted to hear some other opinions.

  • #2
    Re: AD structure, advice needed.

    I assume you're using at least W2k3 ?

    Best practice has changed from 2000, to use a single forest root domain.
    I'm doing a redesign for a global client at the moment, where they have a forest root domain (comp.com) then they have ap, na, eu as child domains.

    We're moving them to just "comp.com" - single domain.

    if it was me, I would create an ou at the top level, and then a structure below that for users, groups etc, and delegate authority to the It uspport team at teh remote site
    Setup Sites & Services and you're good to go


    i definitely wouldn't do a new tree/forest unless there's a specific need for clear separation of resources
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: AD structure, advice needed.

      Originally posted by tehcamel View Post
      I assume you're using at least W2k3 ?

      Best practice has changed from 2000, to use a single forest root domain.
      I'm doing a redesign for a global client at the moment, where they have a forest root domain (comp.com) then they have ap, na, eu as child domains.

      We're moving them to just "comp.com" - single domain.

      if it was me, I would create an ou at the top level, and then a structure below that for users, groups etc, and delegate authority to the It uspport team at teh remote site
      Setup Sites & Services and you're good to go


      i definitely wouldn't do a new tree/forest unless there's a specific need for clear separation of resources
      W2k3 is currently in use and will also be used at the remote location. So you are suggesting keeping a single domain, and just delegating authority to an OU structure. This sounds like an easy/simple way to go. But what are the disadvantages if any versus a child domain structure?

      Comment


      • #4
        Re: AD structure, advice needed.

        the main disadvantage to my mind is no real segregation of authority, for instance, if I was doing IT support at that remote site, and needed to logon to the domain controller, or change DHCP or something, I'd have to be a full DA, which would give me access to your domain controller, and your dhcp scopes at your site.

        So it comes down to how much you trust the people doing the onsite support..

        Also - you'd have to have the same policies configured - you can't have a separate password configuration for the new location.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: AD structure, advice needed.

          RODC might be worth looking into to. That's what I'm doing at my company, so we have RODC in remote offices so if the line goes down it won't cause replication issues.

          Just an idea

          Comment


          • #6
            Re: AD structure, advice needed.

            Instead of creating a new thread, I'll just piggy-back off this thread as it is related to an issue I am confronting.

            Presently, my organization has six forests (one for headquarters (HQ) and five for remote locations) connected by WAN links. The number of users at each location ranges from 2 to 10.

            The goal is to get rid of the five forests for the remote locations. I have been given the lead in this project.

            My course of actions (COA) are:

            1. Create sites for the five remote locations under the headquarters domain and administer the resources in five OUs.

            2. Create child domains for the five remote locations under the headquarters domain.

            I am biased to COA#1, because it is easier.

            However, the HQ domain administrator says COA#2 would be a better route.

            I say the PROs of COA#1 are:

            - Ease of administration.
            - Remote users' access to HQ domain resources.
            - Deployment of consistent policies thoughout domain; machines are compliant and up to date with latest patches.

            The only CON I see with COA#1 is the consumption of WAN bandwidth due to AD replication.

            I say the PROs of COA#2 are:

            - Security boundries.
            - Filtering of GPOs from parent domain.
            - Conservation of WAN bandwidth (assuming there is no AD replication between parent and child domains.
            - Remote location can maintain its identity.

            CON of COA2:

            - Administration complexity.



            Would you all be kind enough to offer feedback.

            Thanks

            Comment


            • #7
              Re: AD structure, advice needed.

              I would agree with you rudog and go with first option instead creating child domains. the best would be to have UGMC in remote sites as the number of users are less. If they are using exchange or any other application that needs access to GC then use ADC's in remote sites.

              In this case administration will be easy and neat. Talking about replication you can get set it to 1am morning time maybe.


              Thanks

              Comment


              • #8
                Re: AD structure, advice needed.

                Hi,

                How many users are you going to put in remote site. That also matters. What techcamel has suggested is also a good choice. Doing a child domain depends upon the organizational structure, data isolation, ur user base, amount that can be used up. It can be a good choice if you have a large user based and you want it to be regionally independent.
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment

                Working...
                X