AD Design question

Z

Zam

I have a question as to the best method for design....

We have two hq's that have dual T1's between them. The two HQ's are
in two different states. There are also 30 branches, with half of the
branches in one state, and the other half in the other state. The
branches have T1's also between them and whichever state HQ they
reside in.

Here's my design question. Do you go with a a root, with three child
domains under the root (state1,state2, and corporate), and then under
each of those child domains, have each branch be it's own child
domain?????

OR

Because there's no need for seperate domains - have one domain, and
then segregate the branches by making them seperate OU's?????

TIA!
 
S

Simon Geary

I would be thinking about one empty forest root domain and then a single
child domain beneath that, using OU's for each HQ and branch office. Unless
you have a specific requirement for more domains this should do the trick.
Having the empty forest root helps isolate your domain and schema admins
groups. It's not strictly necessary but is a common security measure if you
have the budget for the extra DCs.
 
Z

Zam

OK. That makes sense. We have servers for each of these branches, we
would probably still want them to be DC's for the corporate domain
that you're suggesting (the one underneath the forest root). I guess
my concern, is the WAN link goes down, I need to ensure that the users
can still authenticate to a DC.
 
C

Cary Shultz [A.D. MVP]

Zam,

In addition to what Simon suggests, I would consider setting up a Site for
each location. You can do this from within the Active Directory Sites and
Services MMC. And, you could place a Domain Controller in each Site. This
will create a situation where the users in Site03 are going to be
authenticated by the DC in Site03 while the users in Site19 are going to be
authenticated by the DC in Site19.

But, how many users are in each Site? If you have fewer than 10 users in a
certain location then you might not want to have a DC in that location. The
authentication across the WAN should not be that much of a problem. Well,
that is assuming that you have only a couple of Sites in which there is no
DC. If the link between the Site and the Hub is a T1 then you should have
no problems. If these T1s are private links then there is no real need to
consider a Site-to-Site VPN. Otherwise, you absolutely want to consider
this.

There are some really good papers that can assist you. Information is a
really good thing and this is one of those areas that is not understood all
that well. There are a lot of things that you can do here. It might take
some tweaking but you can definitely have a fine running network. And from
what I hear WIN2003 is supposed to really improve in this area...

Also, are you considering DFS?

HTH,

Cary
 
S

Simon Geary

So long as all your DCs at each branch are a GC (recommended in your case I
think) and they all run DNS and any other vital networking services your
users would be able to log on at either site if the WAN link went down. A DC
can by default last for 60 days servicing users without connection to the
rest of the forest before major problems start occurring.
 
Z

Zam

OK, that sounds good. What about DNS? Would I make the primary DNS
server on a client at Branch #10 point to the Branch #10 DNS server
for it's primary, and then the child domain server as it's secondary
DNS? I want to use dynamic DNS, so DNS is definitely a concern here.
 
C

Cary Shultz [A.D. MVP]

That sounds correct!

Cary

Zam said:
OK, that sounds good. What about DNS? Would I make the primary DNS
server on a client at Branch #10 point to the Branch #10 DNS server
for it's primary, and then the child domain server as it's secondary
DNS? I want to use dynamic DNS, so DNS is definitely a concern here.



"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message
Zam,

In addition to what Simon suggests, I would consider setting up a Site for
each location. You can do this from within the Active Directory Sites and
Services MMC. And, you could place a Domain Controller in each Site. This
will create a situation where the users in Site03 are going to be
authenticated by the DC in Site03 while the users in Site19 are going to be
authenticated by the DC in Site19.

But, how many users are in each Site? If you have fewer than 10 users in a
certain location then you might not want to have a DC in that location. The
authentication across the WAN should not be that much of a problem. Well,
that is assuming that you have only a couple of Sites in which there is no
DC. If the link between the Site and the Hub is a T1 then you should have
no problems. If these T1s are private links then there is no real need to
consider a Site-to-Site VPN. Otherwise, you absolutely want to consider
this.

There are some really good papers that can assist you. Information is a
really good thing and this is one of those areas that is not understood all
that well. There are a lot of things that you can do here. It might take
some tweaking but you can definitely have a fine running network. And from
what I hear WIN2003 is supposed to really improve in this area...

Also, are you considering DFS?

HTH,

Cary


if
you
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Design Question 7
AD design question? 6
AD infrastructure design question 1
School Design for AD 14
Consolidating Domains 2
Help moving from NT4 to 2000 AD? 5
2 domains structure 6
Sites in AD (cont.) 2

Top