Help with Single versus Multiple domain

M

Matt

I am looking for anyone's input to help me justify to the director why i
should migrate our AD network from a multiple domain model to a single
domain model. any white papers, docs, articles or the like that may assist
would be appreciated.
 
M

Matt Anderson

T

Tomasz Onyszko

Matt said:
I am looking for anyone's input to help me justify to the director why i
should migrate our AD network from a multiple domain model to a single
domain model. any white papers, docs, articles or the like that may assist
would be appreciated.

I don't know why You want to do this but If You are looking for general
design considerations look at this papers:



http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDSS_overview.asp

http://www.microsoft.com/downloads/...cd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en

http://www.microsoft.com/downloads/...F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en
 
J

James

I always go with the single domain model if possible. The reasons I think
why you need to look at a single domain vs multiple domains are:

To support decentralized administration (this can be done with delegation to
some degree)

To isolate domain replication traffic (you can use
sites/links/bridges/replication schedules to overcome this)

If you want to preserve legacy domains (this probably doesn't apply to you)

To support multiple domain policies (e.g password security settings). I hope
this will be 'fixed' one day so you don't need more than one domain for
this.

To comply with interal political decisions


Perhaps the main question is why you have multiple domains at the moment.

James
 
T

Tomasz Onyszko

James said:
Perhaps the main question is why you have multiple domains at the moment.

This is my point to - all sugestions on this and other group are true,
but we don;t know why You have separated domains now and why You want to
migrate them to single domain?
 
M

Matt

separate domains were inherited from nt4 migration. during nt4 days at this
company, there were two separate physical networks. when they were finally
joined and the nine domains needed to talk they had to create trusts. that
was carried over to 2000 during migration. it just doestn seem to be
necessary now because there is only one group that manages all domains.
 
T

Tomasz Onyszko

Matt said:
separate domains were inherited from nt4 migration. during nt4 days at this
company, there were two separate physical networks. when they were finally
joined and the nine domains needed to talk they had to create trusts. that
was carried over to 2000 during migration. it just doestn seem to be
necessary now because there is only one group that manages all domains.

Migrating to one domain seems to be finall step in Your migration if
there is any other factors in your organization (sometimes politics is
very stron factor) which can prevent from it.

In Your design migrating to one domain should have following positive
efects:

- decrease administrative overhead: right now maintaing trusts,
assigning rights between domains etc can be very time consuming task

- simplification in administration of users, permissionas etc.

- simple structure with preserved functionality: You can still delgate
tasks to IT stuff in each domain on the OU levels, OUs are easier to manage

- (this will be one of the favorites conuslants reason :) ) decrease in
TCO of your network

- as others said in this thread You can also free some hardware resources
 
C

Cary Shultz [A.D. MVP]

Matt,

There is usually no reason to have multiple Domains. Now, before everyone
jumps on me for this very general comment, let me get into more detail!

In most situations a single domain model is desirable. Now, you can have an
empty root if you so desire. Microsoft is actually moving away from
suggesting this now. What do you benefit from having a single domain model?
Ease of administration, reduction in overhead ( and hardware ), etc. etc.
etc.

So, what if I have one domain but have 17 different physical locations? Not
a problem. You simply make use of Active Directory Sites and Services. So,
you keep your single domain but set up the 17 different physical locations
as Sites, create the appropriate Subnets and then associate each Subnet with
the correct Site. You would have both Intrasite Replication ( between the
Domain Controllers that are located in each Site ) and Intersite Replication
( between each Bridgehead Server in each Site - or however the KCC, the
Knowledge Consistency Checker, and its little buddy the ISTG, the Intersite
Topology Generator, configure things ). Do you need a Domain Controller in
each Site? Well, not really but you should consider it. There are many who
would say that you should have a DC in each Site. I am generally one of
those people. But is it a technical requirement? No. In a situation where
you have three users in a Site you do not necessarily need to have a DC in
that Site. But that is open for discussion and I am simply providing
****very general**** considerations. One thing that you would want to
consider having would be a Site-to-Site VPN between each location *IF* you
have a public connection between each remote location and the HQ. So, if
you have a private T1 between each remote Site and the HQ you would probably
not need to have the Site-to-Site VPN ( aka Firewall-to-Firewall VPN ).
SonicWall has some nice Firewalls. I do not even need to mention Cisco's
PIX. There are others as well.

What do Sites afford you? Well, besides the obvious, Sites afford you two
things mainly: controlling Active Directory Replication and assisting user
logons. You see, the way things are supposed to work ( and they do not
always due to 'generic' records ) is that each WIN2000 and WIN XP Pro system
is supposed to authenticate against a DC in it's Site ( based on IP
Address - thus the need to set up the Subnets in the ADSS MMC and then
associate each Subnet with the correct Site ). If a DC is not available in
that Site then it will look for another 'closest' DC and use that one.
Sometimes this is over a WAN link. You do not really want this generally
speaking.

So, what does this all have with a single domain model vs. the multiple
domains that you currently have? Pretty much everything. A lot of really
good WINNT 4.0 Admins who are not familiar with WIN2000 Active Directory
will not make use of the new features that Active Directory offers and
continue with the NT 4.0 way. They are still in the WINNT 4.0 mode of
thinking. This is a bit limiting and leads to a less than efficient way of
doing things. Generally speaking.

So, how would you go about this? Well, you did not mention is you are
already at WIN2000 or still in WINNT 4.0. If you are in WINNT 4.0 then you
could create a WIN2000 forest, create a trust between WIN2000 and WINNT 4.0
and use the Active Directory Migration Tool ( ADMT v2.0 ). This would be
the beginning of a very large undertaking - assuming that you have many
WINNT 4.0 domains to collapse.

Exchange is another issue. That would be best posted in the Exchange
2000.Admin news group.

HTH,

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top