Forest Consolidation

[Paul Gerry]

Hi,

I currently have 5 locations in Europe and 8 in the US. Only 2 of the
locations are part of the company's original infrastructure, the rest have
come about by the way of acquisitions, the original 2 locations are trusted
across a VPN.

Due to new collaboration projects, one exchange organisation requirement,
corporate rebranding and SOX auditors recommendations, the need for one
logical entity is required.

The domains currently have the following setup

Europe 1 - 3x Win 2000 DC's, 1x Exchange 2003
Europe 2 - 1x NT PDC, 1x Win 2000 DC with Exchange 5.5, both domains trusted
Europe 3 - 1x Win 2000 DC
Europe 4 - 1x Win 2000 DC, 1x Exchange 2000
Europe 5 - 1x Win 2000

US 1 - 2x Win 2003 DC's, 1x Exchange 2003
US 2 - 2x Win 2003 DC's, 1x Exchange 2003
US 3 - 1x Win 2003 DC
US 4 - 4x Win 2003 DC's, 1x Exchange 2003 (covering 3 locations)
US 5 - 2x Win 2003 DC's
US 6 - 2x Win 2003 DC's, Exchange 2003

- All of the locations that have one DC will have a second one by the end of
the month, for obvious reasons.
- All Win 2000 domains will be upgraded to 2003 by the end of the year. Not
sure about the NT one yet due to software running on it, hoping to make it a
member server of a 2003 domain.

What I am looking for is recommendations with regards to the forest/domain
setup, I have had a few ideas around the following setups:

- 1 forest, 1 domain
- 1 forest, 2 domains (EU, US)
- 1 forest, multiple domains for each site
- 2 forests (EU,US), multiple domains for each site

Has anyone tackled an AD project on this sort of scale? Have they any
tips/recommendations about the AD side and possibly the Exchange side?

Regards

Paul

 

[Herb Martin]

Hi,

I currently have 5 locations in Europe and 8 in the US. Only 2 of the
locations are part of the company's original infrastructure, the rest have
come about by the way of acquisitions, the original 2 locations are
trusted across a VPN.

Due to new collaboration projects, one exchange organisation requirement,
corporate rebranding and SOX auditors recommendations, the need for one
logical entity is required.

What does "one logical entity" mean in this sentence?

One domain? One Forest? Something else?

The domains currently have the following setup

Europe 1 - 3x Win 2000 DC's, 1x Exchange 2003
Europe 2 - 1x NT PDC, 1x Win 2000 DC with Exchange 5.5, both domains
trusted

Two domains in Europe 2? The above is confusing is so, and
if this is only one domain it is NOT POSSIBLE: NT-PDC must
be for a different Domain than Win2000-DC. (Could be Win2000 DC
and NT-BDC however.)

Europe 3 - 1x Win 2000 DC
Europe 4 - 1x Win 2000 DC, 1x Exchange 2000
Europe 5 - 1x Win 2000

US 1 - 2x Win 2003 DC's, 1x Exchange 2003
US 2 - 2x Win 2003 DC's, 1x Exchange 2003
US 3 - 1x Win 2003 DC
US 4 - 4x Win 2003 DC's, 1x Exchange 2003 (covering 3 locations)
US 5 - 2x Win 2003 DC's
US 6 - 2x Win 2003 DC's, Exchange 2003

- All of the locations that have one DC will have a second one by the end
of the month, for obvious reasons.
Good.

- All Win 2000 domains will be upgraded to 2003 by the end of the year.
Not sure about the NT one yet due to software running on it, hoping to
make it a member server of a 2003 domain.

Good too.

You cannot however directly convert an NT-DC to "member server"
but must rather promote to AD DC and then after adding another DC
you could THEN DCPromo (demote) it to member DC.
Otherwise re-install that PDC.

What I am looking for is recommendations with regards to the forest/domain
setup, I have had a few ideas around the following setups:

- 1 forest, 1 domain

There are some weird laws (both admin and security) in Europe that
might preclude a single domain IF certain countries are included.

- 1 forest, 2 domains (EU, US)

Those weird laws might actually make this WORSE
(Germany is the example I am familiar with.)

- 1 forest, multiple domains for each site

Don't use "sites" are you primary way to decide about domains.

- 2 forests (EU,US), multiple domains for each site

If you plan on sharing resources this is likely overkill and not
that helpful since explicit trusts will likely be required.

Assumming you need to share resources you might find that a Single
Domain for the US, and 0-more (additional) for Europe is best.

Much of that 0-more is about internal company politics AND possibly
GeoPolitical issues.

Has anyone tackled an AD project on this sort of scale? Have they any
tips/recommendations about the AD side and possibly the Exchange side?

Yes, several of us who will answer you here have, but I am NOT the
'expert' on Exchange in such situations.

 

[Paul Gerry]

Herb,

Many thanks for your response. Sorry I should have been clearer Europe 2 has
two domains, one NT the other 2000 and they are trusted. Not sure why I
wrote "one logical entity", thats what the CFO emailed me and I obviously
picked it up from there, he doesn't understand Forests and Domains despite
multiple diagrams and descriptions using word of 2 syllables or less, usual
for a CFO.

The NT box will be rebuilt and made a member server. It is only required as
the ERP software running on it is a bit flaky on Win 2000 or 2003 to say the
least.

You mentioned that admin and security laws might preclude a single domain.
Do you have any examples or know of any references that can be explored
further. I am against a single global/continental domain and would love
something solid to build arguments against it.

I have been reading the documentation regarding domain rename which may be
required due to some sites in the US and EU having the same NETBIOS name,
hence lack of VPN's and trusts at the moment. Am I correct in thinking that
you can do a domain rename and join another forest?

Currently creating the entire setup using virtual server. Hope to be in a
position to run through some scenarios by the weekend.

Many thanks for your help

Paul

Hi,

I currently have 5 locations in Europe and 8 in the US. Only 2 of the
locations are part of the company's original infrastructure, the rest
have come about by the way of acquisitions, the original 2 locations are
trusted across a VPN.

Due to new collaboration projects, one exchange organisation requirement,
corporate rebranding and SOX auditors recommendations, the need for one
logical entity is required.

What does "one logical entity" mean in this sentence?

One domain? One Forest? Something else?

The domains currently have the following setup

Europe 1 - 3x Win 2000 DC's, 1x Exchange 2003
Europe 2 - 1x NT PDC, 1x Win 2000 DC with Exchange 5.5, both domains
trusted

Two domains in Europe 2? The above is confusing is so, and
if this is only one domain it is NOT POSSIBLE: NT-PDC must
be for a different Domain than Win2000-DC. (Could be Win2000 DC
and NT-BDC however.)

Europe 3 - 1x Win 2000 DC
Europe 4 - 1x Win 2000 DC, 1x Exchange 2000
Europe 5 - 1x Win 2000

US 1 - 2x Win 2003 DC's, 1x Exchange 2003
US 2 - 2x Win 2003 DC's, 1x Exchange 2003
US 3 - 1x Win 2003 DC
US 4 - 4x Win 2003 DC's, 1x Exchange 2003 (covering 3 locations)
US 5 - 2x Win 2003 DC's
US 6 - 2x Win 2003 DC's, Exchange 2003

- All of the locations that have one DC will have a second one by the end
of the month, for obvious reasons.
Good.

- All Win 2000 domains will be upgraded to 2003 by the end of the year.
Not sure about the NT one yet due to software running on it, hoping to
make it a member server of a 2003 domain.

Good too.

You cannot however directly convert an NT-DC to "member server"
but must rather promote to AD DC and then after adding another DC
you could THEN DCPromo (demote) it to member DC.
Otherwise re-install that PDC.

What I am looking for is recommendations with regards to the
forest/domain setup, I have had a few ideas around the following setups:

- 1 forest, 1 domain

There are some weird laws (both admin and security) in Europe that
might preclude a single domain IF certain countries are included.

- 1 forest, 2 domains (EU, US)

Those weird laws might actually make this WORSE
(Germany is the example I am familiar with.)

- 1 forest, multiple domains for each site

Don't use "sites" are you primary way to decide about domains.

- 2 forests (EU,US), multiple domains for each site

If you plan on sharing resources this is likely overkill and not
that helpful since explicit trusts will likely be required.

Assumming you need to share resources you might find that a Single
Domain for the US, and 0-more (additional) for Europe is best.

Much of that 0-more is about internal company politics AND possibly
GeoPolitical issues.

Has anyone tackled an AD project on this sort of scale? Have they any
tips/recommendations about the AD side and possibly the Exchange side?

Yes, several of us who will answer you here have, but I am NOT the
'expert' on Exchange in such situations.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Regards

Paul

 

[Herb Martin]

Herb,

Many thanks for your response. Sorry I should have been clearer Europe 2
has two domains, one NT the other 2000 and they are trusted. Not sure why
I wrote "one logical entity", thats what the CFO emailed me and I
obviously picked it up from there, he doesn't understand Forests and
Domains despite multiple diagrams and descriptions using word of 2
syllables or less, usual for a CFO.

Then I would take this (request by CFO) to mean "one forest unless

The NT box will be rebuilt and made a member server. It is only required
as the ERP software running on it is a bit flaky on Win 2000 or 2003 to
say the least.

Usually it is best to UPGRADE (significant) domains so it might
be best to first arrange an upgrade through it OR a replacement PDC
(by installing a NT-BDC for upgrade purposes) and then re-arranginging it.

You mentioned that admin and security laws might preclude a single domain.
Do you have any examples or know of any references that can be explored
further. I am against a single global/continental domain and would love
something solid to build arguments against it.

There is a (now old) discussion of Microsoft's own adventures in
this area by their designer of the original Win2000 domains worldwide
(or at least US-Europe). It's somewhere on the MS site, especially
in the videos (with transcipts) from conferences etc.

He discussed how his original plan was for a single domain -- MS
is NOT a large company by AD standards -- but then found that
Germany (in particular) had an "unwritten law" (yes, I know that
makes no sense to me logically either) that required a German
entity to be manage either locally in Germany OR by the wholy
owning parent company if done outside the country.

This led to a conflict with Microsoft's then plan to have most
European locations managed out of their Ireland IT center.

This led to a provisional plan to separate Germany as a different
domain.

There was also an issue with French laws about (if I recall
correctly) relating to key length for security keys which would
have forced another domain for France.

The two (and maybe others that I forget) led to a decision to make
MOST European countries separate domains in the MS forest.

I have been reading the documentation regarding domain rename which may be
required due to some sites in the US and EU having the same NETBIOS name,

UGH! That is terrible (really.)

It is also not supposed to be POSSIBLE in AD with a single forest.

So if you already have multiple forests there is no direct way to
combine them. You can migrate; you can establish external or forest
trusts but you cannot directly join either existing forests or domains.*

*Except NT domains which can be upgraded and join an existing forest
at the same time.

hence lack of VPN's and trusts at the moment.

VPN's are not dependent on such stuff (in general.)

Trusts are. You cannnot trust a domain with the same name as yours.

Am I correct in thinking that you can do a domain rename and join another
forest?

No. You can rename but a domain cannot join another forest
(unless it is still NT and has not existing forest currently.)

Currently creating the entire setup using virtual server. Hope to be in a
position to run through some scenarios by the weekend.

Many thanks for your help

You can call me if you wish. I give free help (up to a point.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Paul

Hi,

I currently have 5 locations in Europe and 8 in the US. Only 2 of the
locations are part of the company's original infrastructure, the rest
have come about by the way of acquisitions, the original 2 locations are
trusted across a VPN.

Due to new collaboration projects, one exchange organisation
requirement, corporate rebranding and SOX auditors recommendations, the
need for one logical entity is required.

What does "one logical entity" mean in this sentence?

One domain? One Forest? Something else?

The domains currently have the following setup

Europe 1 - 3x Win 2000 DC's, 1x Exchange 2003
Europe 2 - 1x NT PDC, 1x Win 2000 DC with Exchange 5.5, both domains
trusted

Two domains in Europe 2? The above is confusing is so, and
if this is only one domain it is NOT POSSIBLE: NT-PDC must
be for a different Domain than Win2000-DC. (Could be Win2000 DC
and NT-BDC however.)

Europe 3 - 1x Win 2000 DC
Europe 4 - 1x Win 2000 DC, 1x Exchange 2000
Europe 5 - 1x Win 2000

US 1 - 2x Win 2003 DC's, 1x Exchange 2003
US 2 - 2x Win 2003 DC's, 1x Exchange 2003
US 3 - 1x Win 2003 DC
US 4 - 4x Win 2003 DC's, 1x Exchange 2003 (covering 3 locations)
US 5 - 2x Win 2003 DC's
US 6 - 2x Win 2003 DC's, Exchange 2003

- All of the locations that have one DC will have a second one by the
end of the month, for obvious reasons.
Good.

- All Win 2000 domains will be upgraded to 2003 by the end of the year.
Not sure about the NT one yet due to software running on it, hoping to
make it a member server of a 2003 domain.

Good too.

You cannot however directly convert an NT-DC to "member server"
but must rather promote to AD DC and then after adding another DC
you could THEN DCPromo (demote) it to member DC.
Otherwise re-install that PDC.

What I am looking for is recommendations with regards to the
forest/domain setup, I have had a few ideas around the following setups:

- 1 forest, 1 domain

There are some weird laws (both admin and security) in Europe that
might preclude a single domain IF certain countries are included.

- 1 forest, 2 domains (EU, US)

Those weird laws might actually make this WORSE
(Germany is the example I am familiar with.)

- 1 forest, multiple domains for each site

Don't use "sites" are you primary way to decide about domains.

- 2 forests (EU,US), multiple domains for each site

If you plan on sharing resources this is likely overkill and not
that helpful since explicit trusts will likely be required.

Assumming you need to share resources you might find that a Single
Domain for the US, and 0-more (additional) for Europe is best.

Much of that 0-more is about internal company politics AND possibly
GeoPolitical issues.

Has anyone tackled an AD project on this sort of scale? Have they any
tips/recommendations about the AD side and possibly the Exchange side?

Yes, several of us who will answer you here have, but I am NOT the
'expert' on Exchange in such situations.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Regards

Paul