AD design and flat AD network

  • Thread starter Thread starter DavidM
  • Start date Start date
D

DavidM

Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?

Thanks
 
DavidM said:
Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?
Click to expand...

There are plenty on the Microsoft web site. (Google should find
them easily).

But there are fairly clear reasons for each decision:

Multiple Forests:

1) Complete autonomy
e.g. Separate companies with no desire to generally share
resources

2) Different schemas -- hard rule since the schema is forest wide

Multiple domains

1) Separation of control by different admins
(usually OUs can work here)

2) Mirror NT domains -- especially during upgrade/migration but
again OUs can usually handle this as some point in the process

3) Massive number of objects and... (AD was designed for
millions)
4) Control replication -- seldom needed since Sites do this in most
cases

But notice: #3 and #4 work together, as the number of objects
increases and the speed of the WAN lines goes down a domain
may need to be split where in another environement it would not.

5) Different "Security Account Policies" -- the Password, Lockout,
and Kerberos policies are PER Domain.

6) Geopolitical issues -- laws and practices that force separation
(this is really a variety of #1 but for perhaps different,
external
reasons.) It is also perhaps relevant to your multinational
situation.

7) Technically a need for SMTP replication will force separate
domains
as well, but this is so rare as to almost go unremarked.

Of course anything that forces separate forests also forces a separate
domain.
 
Herb,

Say for example you have a single AD domain that spans 5 countries, and each
country has multiple sites. What would you recomend for the best ADS&S
structure? (all sites in all countires have minimum 512k VPN links back to a
single site in the UK (much like the centre of a wheel with it's spokes),
the directory has no more than 20000 objects, nothing major changes) I've
seen some designs before that look very complicated, and some that look very
simple (like all sites being in the same site link for example)

I'm really interested in your thoughts/views on this one. A company I work
for is about to roll out AD across the globe, as explained roughly above.
Would be good to hear how you would tackle it.


Herb Martin said:
DavidM said:
Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?
Click to expand...

There are plenty on the Microsoft web site. (Google should find
them easily).

But there are fairly clear reasons for each decision:

Multiple Forests:

1) Complete autonomy
e.g. Separate companies with no desire to generally share
resources

2) Different schemas -- hard rule since the schema is forest wide

Multiple domains

1) Separation of control by different admins
(usually OUs can work here)

2) Mirror NT domains -- especially during upgrade/migration but
again OUs can usually handle this as some point in the process

3) Massive number of objects and... (AD was designed for
millions)
4) Control replication -- seldom needed since Sites do this in most
cases

But notice: #3 and #4 work together, as the number of objects
increases and the speed of the WAN lines goes down a domain
may need to be split where in another environement it would not.

5) Different "Security Account Policies" -- the Password, Lockout,
and Kerberos policies are PER Domain.

6) Geopolitical issues -- laws and practices that force separation
(this is really a variety of #1 but for perhaps different,
external
reasons.) It is also perhaps relevant to your multinational
situation.

7) Technically a need for SMTP replication will force separate
domains
as well, but this is so rare as to almost go unremarked.

Of course anything that forces separate forests also forces a separate
domain.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Click to expand...
Click to expand...
 
Say for example you have a single AD domain that spans 5 countries, and
each
country has multiple sites. What would you recomend for the best ADS&S
structure? (all sites in all countires have minimum 512k VPN links back to a
single site in the UK (much like the centre of a wheel with it's spokes),
the directory has no more than 20000 objects, nothing major changes) I've
seen some designs before that look very complicated, and some that look very
simple (like all sites being in the same site link for example)
Click to expand...

More than 2 Sites in the same Site Link is a concept that is commonly
misunderstand.

All that this does is give the Sites a link between each pair that shares
the three (essential) configuration parameters:

1) Cost
2) Schedule
3) Frequency

It is just a convenient way to say that all (5) sites are equally connected,
or
rather should be treated as if they were.

It would seem more accurate with a single hub site to create a Site Link
with the hub and each of the other sites.
I'm really interested in your thoughts/views on this one. A company I work
for is about to roll out AD across the globe, as explained roughly above.
Would be good to hear how you would tackle it.
Click to expand...

Simple. As simple as possible and no simpler.

But much depends on the current setups, even the countries, and the
actual requirements as referenced against the rules I provided you
above for deciding Domain and Forest counts.

My first assumption is 1 domain per company until proven wrong (or
rather inadequate).

With multiple countries involved I usually modify this to 1 domain per
company OR per country with a single forest until proven inadequate.

Germany for instance has (had?) some odd "unwritten laws" about
local management of companies that operate within Germany.

(This was mentioned by the Microsoft AD designers back when they
designed the Microsoft European domains.)

You may call me if you wish.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

ade said:
Herb,



Herb Martin said:
DavidM said:
Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?
Click to expand...

There are plenty on the Microsoft web site. (Google should find
them easily).

But there are fairly clear reasons for each decision:

Multiple Forests:

1) Complete autonomy
e.g. Separate companies with no desire to generally share
resources

2) Different schemas -- hard rule since the schema is forest wide

Multiple domains

1) Separation of control by different admins
(usually OUs can work here)

2) Mirror NT domains -- especially during upgrade/migration but
again OUs can usually handle this as some point in the process

3) Massive number of objects and... (AD was designed for
millions)
4) Control replication -- seldom needed since Sites do this in most
cases

But notice: #3 and #4 work together, as the number of objects
increases and the speed of the WAN lines goes down a domain
may need to be split where in another environement it would not.

5) Different "Security Account Policies" -- the Password, Lockout,
and Kerberos policies are PER Domain.

6) Geopolitical issues -- laws and practices that force separation
(this is really a variety of #1 but for perhaps different,
external
reasons.) It is also perhaps relevant to your multinational
situation.

7) Technically a need for SMTP replication will force separate
domains
as well, but this is so rare as to almost go unremarked.

Of course anything that forces separate forests also forces a separate
domain.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Click to expand...
Click to expand...
Click to expand...
 
Herb,

Thankyou for your reply - much appreciated and useful.

The company is more of a 'group' of companies preparing to harmonise. Some
VPN tunnels between the various countries and the UK are starting to be
built. Most of the network services i.e. exchange, oralce etc will be
hosted from of the UK. All IT staff will eventually become part of an
international team : )

Thanks for the offer to call aswell, I guess your a busy guy, and in my
opinion you do enough with your contributions here without me calling. But
thanks again all the same.

Cheers.

Herb Martin said:
Say for example you have a single AD domain that spans 5 countries, and each
country has multiple sites. What would you recomend for the best ADS&S
structure? (all sites in all countires have minimum 512k VPN links back
to a
single site in the UK (much like the centre of a wheel with it's spokes),
the directory has no more than 20000 objects, nothing major changes)
I've
seen some designs before that look very complicated, and some that look very
simple (like all sites being in the same site link for example)
Click to expand...

More than 2 Sites in the same Site Link is a concept that is commonly
misunderstand.

All that this does is give the Sites a link between each pair that shares
the three (essential) configuration parameters:

1) Cost
2) Schedule
3) Frequency

It is just a convenient way to say that all (5) sites are equally
connected,
or
rather should be treated as if they were.

It would seem more accurate with a single hub site to create a Site Link
with the hub and each of the other sites.
I'm really interested in your thoughts/views on this one. A company I work
for is about to roll out AD across the globe, as explained roughly above.
Would be good to hear how you would tackle it.
Click to expand...

Simple. As simple as possible and no simpler.

But much depends on the current setups, even the countries, and the
actual requirements as referenced against the rules I provided you
above for deciding Domain and Forest counts.

My first assumption is 1 domain per company until proven wrong (or
rather inadequate).

With multiple countries involved I usually modify this to 1 domain per
company OR per country with a single forest until proven inadequate.

Germany for instance has (had?) some odd "unwritten laws" about
local management of companies that operate within Germany.

(This was mentioned by the Microsoft AD designers back when they
designed the Microsoft European domains.)

You may call me if you wish.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

ade said:
Herb,



Herb Martin said:
Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus
distributed
(one
forest with several child domains)?

There are plenty on the Microsoft web site. (Google should find
them easily).

But there are fairly clear reasons for each decision:

Multiple Forests:

1) Complete autonomy
e.g. Separate companies with no desire to generally share
resources

2) Different schemas -- hard rule since the schema is forest wide

Multiple domains

1) Separation of control by different admins
(usually OUs can work here)

2) Mirror NT domains -- especially during upgrade/migration but
again OUs can usually handle this as some point in the process

3) Massive number of objects and... (AD was designed for
millions)
4) Control replication -- seldom needed since Sites do this in most
cases

But notice: #3 and #4 work together, as the number of objects
increases and the speed of the WAN lines goes down a domain
may need to be split where in another environement it would
not.

5) Different "Security Account Policies" -- the Password, Lockout,
and Kerberos policies are PER Domain.

6) Geopolitical issues -- laws and practices that force separation
(this is really a variety of #1 but for perhaps different,
external
reasons.) It is also perhaps relevant to your
multinational
situation.

7) Technically a need for SMTP replication will force separate
domains
as well, but this is so rare as to almost go unremarked.

Of course anything that forces separate forests also forces a separate
domain.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Thanks
Click to expand...
Click to expand...
Click to expand...
 
ade said:
Herb,

Thankyou for your reply - much appreciated and useful.

The company is more of a 'group' of companies preparing to harmonise. Some
VPN tunnels between the various countries and the UK are starting to be
built. Most of the network services i.e. exchange, oralce etc will be
hosted from of the UK. All IT staff will eventually become part of an
international team : )
Click to expand...

This does sound like multiple domains on first glance.

It may not be "per country" though but rather "per operating
unit/company" since they are separate companies and their
might be much site overlap.

Sites cover WAN issues well. Domains are much more about
authentiction-sharing and span-of-control (admin) issues.
Thanks for the offer to call aswell, I guess your a busy guy, and in my
opinion you do enough with your contributions here without me calling. But
thanks again all the same.
Click to expand...

Ok. (I will charge you if it gets excessive <grin> but I do like
solving problems and helping people.)
 
Hi again Herb,

They are different operating units at present, but are in the process of all
joining and singing out of the same kym book, as it were.

I think the single domain will work for us, as we encourage trust between
staff memebers, and can easily delegate out admin tasks per OU if needed.

Thanks for you input, I think perhaps either the hub strategy for ADS&S you
mentioned will work for us, or just having one site link may aswell. All
the sites will have permanent connectivity, and as I mentioned, the
directory is not huge and never has any 'major' changes.

Thanks for you help again mate, if I lived in the states I'd be tempted to
do your course.
 
ade said:
Hi again Herb,

They are different operating units at present, but are in the process of all
joining and singing out of the same kym book, as it were.

I think the single domain will work for us, as we encourage trust between
staff memebers, and can easily delegate out admin tasks per OU if needed.

Thanks for you input, I think perhaps either the hub strategy for ADS&S you
mentioned will work for us, or just having one site link may aswell. All
the sites will have permanent connectivity, and as I mentioned, the
directory is not huge and never has any 'major' changes.

Thanks for you help again mate, if I lived in the states I'd be tempted to
do your course.
Click to expand...

Normally the site links should MATCH your physical WAN lines.

If it is a hub, you likely should hub out the sites. (Otherwise you get
strange connections when that isn't proper or ideal.)
 
Back
Top