Announcement

Collapse
No announcement yet.

How would you do this? AD structure question.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How would you do this? AD structure question.

    Just looking for some feedback on a proposed AD design re-structure.

    My company is planning to amalgamate it's existing multi forest/domain structure into a single forest/domain structure.

    We have approx 20 seperate Domains/sites located in various places with a 10MB VPN linked back to a central HQ purely for remote admin functions. We currently have separate administrators for each Domain.

    The plan is to create a single forest/domain amalgamating all the remote Domains into one Domain. All Domain names are internal with no external name-space required.

    We plan to have the first DC in our HQ which will also be the FSMO holder. Other DC's will be created at each remote site with VPN links to other sites created to provide resiliency. There will be a hub-spoke structure for the purpose of replication with the main HQ replicating to 4 regional HQ's and then they will replicate to their subordinates.

    The question is how to set up DNS? We obviously want it AD integrated but with many different sites the DNS zone will obviously be replicated to each and every other DC/DNS server and may get unwieldy and difficult to manage.

    Is there any other way of managing the DNS Zone replication? Can we set DNS to only replicate to certain other DNS servers (similar to replication partners in AD)? Is this a good use of DNS application partitions?

    Thanks for any input.

  • #2
    Re: How would you do this? AD structure question.

    Hi,

    Can you provide your user base in different sites and active directory topology information or diagram for better understanding ?

    As you mentioned that you would be migrating to single forest/domain structure then where ever you place a DC will have a DNS and would be replicating to other dns server in the active directory domain.

    What i can suggest you is to put RODC role with DNS server role for remote site location so that replication would be unidirectional.

    Can we set DNS to only replicate to certain other DNS servers (similar to replication partners in AD)?


    For this you have options like replicate dns to other dns server in domain/ dns servers running on domain controller only
    or to all domain controller in the forest.

    I would suggest for some location where user base is less , you can install standalone caching only dns servers with forwarders/conditional forwarding set on them
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: How would you do this? AD structure question.

      Thanks for the quick response v-2nas.

      We have approx 300 users in each site with no more than 200 workstations. The current proposal is to have a DC located at each site which will also be DNS & DHCP server.

      If a DC at a site goes down then local users will be able to authenticate against an alternative DC at another site using the VPN link.

      With each site having it's own DC/DNS server I think there will be issues with DNS replication in that the zone will be quite large.

      Bearing in mind that there will be a fast link - 10MB between sites should DNS be left alone as an integrated zone?

      Comment


      • #4
        Re: How would you do this? AD structure question.

        Yes, let them be active directory integrated for better managebilty. Create sites and move dc's to the sites , define replication schedule after the full sync and then you can have controlled replication.

        What you can do to reduce replication traffic is : use hub spoke topology. every server is taking to central hub server rather than full mesh topology.

        You need to manually remove and re create replication links. Start with a pilot site (server and users) and see what all the challenges.
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment

        Working...
        X