AD design issues

  • Thread starter Thread starter Invisible
  • Start date Start date
I

Invisible

Hi folks.

I've written and re-written this message a few times now - hopefully this
time I'll actually hit [send]! Anyway, I work for a company with sites all
over the world, but the main site is (surprise) in the USA. We're just about
to all move over to Windows 2000 AD domains. I've been looking into Windows
2000, finding out how AD works, etc., for quite some time now. All was going
quite well... until I realised that the USA want all the domains in the same
forest.

Oh dear.

Now, I am *very* concerned about what will happen if we do indeed to this,
but I realise that there's nothing anyone on this list can actually do to
help me turn the USA guys into sensible intelligent people, so I will _try_
and keep my questions technical in nature... (This is the cause of the
rewrites!)

* Is it "best" to have an empty top-level domain, with the actual "stuff"
in the child domains? (We're planning on having a single tree - I think.)

* Do we actually need to have a GC at our UK site?

* If we do have a GC over here, does that mean that every time anyone at
any site on planet Earth changes their password, the new password is
replicated to our GC?

(My reason for asking: we have 30 users. The USA have 30,000. [Don't know
how many the other sites have.] It seems horrifically wasteful to force us
to store 30,000 user accounts that we're never going to use - not to mention
the monumental waste of network bandwidth.)

* I would imagine that the only members of the Enterprise Users group will
be people in the USA. Does that mean they have unlimited power to mess up
our domain? Is there anything we can do to stop them? (Or do we just have to
hope they leave us alone?)

I'm also worried about what this will do to our Exchange setup, but I
suppose I'll have to go ask in the Exchange group about that...

Thanks.
 
Hello

Invisible said:
Hi folks.

I've written and re-written this message a few times now - hopefully this
time I'll actually hit [send]! Anyway, I work for a company with sites all
over the world, but the main site is (surprise) in the USA. We're just about
to all move over to Windows 2000 AD domains. I've been looking into Windows
2000, finding out how AD works, etc., for quite some time now. All was going
quite well... until I realised that the USA want all the domains in the same
forest.
Click to expand...

yeah thare is no problem with one and same forest.

Oh dear.

Now, I am *very* concerned about what will happen if we do indeed to this,
but I realise that there's nothing anyone on this list can actually do to
help me turn the USA guys into sensible intelligent people, so I will _try_
and keep my questions technical in nature... (This is the cause of the
rewrites!)

* Is it "best" to have an empty top-level domain, with the actual "stuff"
in the child domains? (We're planning on having a single tree - I think.)
Click to expand...

yeah a singel tree and child domains, or do you need just one root domain?
* Do we actually need to have a GC at our UK site?
Click to expand...

yeah in Windows2000 you need a GC at each site, do not in Windows Server
2003 AD domain
* If we do have a GC over here, does that mean that every time anyone at
any site on planet Earth changes their password, the new password is
replicated to our GC?
Click to expand...

Yes, and it provide other information about the objects too for fast use of
the attributes in the site to relative services and users
(My reason for asking: we have 30 users. The USA have 30,000. [Don't know
how many the other sites have.] It seems horrifically wasteful to force us
to store 30,000 user accounts that we're never going to use - not to mention
the monumental waste of network bandwidth.)

* I would imagine that the only members of the Enterprise Users group will
be people in the USA. Does that mean they have unlimited power to mess up
our domain? Is there anything we can do to stop them? (Or do we just have to
hope they leave us alone?)
Click to expand...

Enteprise Domain Admins has control of all child domains in a tree yes, and
aslo control all domains in a forest.
I'm also worried about what this will do to our Exchange setup, but I
suppose I'll have to go ask in the Exchange group about that...

Thanks.
Click to expand...

//chriss3 . sweden
 
Having an empty root domain has the following advantages
ability to add/remove child domains from the root easily
control access to the enterprise admins, schema admins group

If you will be using E2k, E2k3 and have exchange servers in the UK,then a
LAN speed access to a GC will be required. You may need a GC for other
applications, but for basic logins, providing the UK can contact a GC via
the network and you do not have E2k/E2k3, you do not need to have one
locally. W2k3 has a new feature which will cache universal groups and this
can reduce some of the WAN traffic if a GC is not located locally.

I don't believe passwords are stored in the global catalog, so if this a big
issue and bandwidth is a real problem, the UK users could be in their own
domain. However, this may mean more hardware (e.g. distributing FSMO roles)
what about travelling users ? You really need to assess the impact of p/w
changes on replication traffic. The book Active Directory Notes from the
field is excellent for this.

The EA group is very powerful and should only contain members who really
understand AD and know your enterprise. Some rights can be removed from the
EA group, but be careful, as things can stop working if the wrong rights are
removed !

I do not know your environment, but IMHO, a single forest and a single
domain (with an empty root) is the bet way to go. Start with the simplest
design and then find reasons why you should make extra forests or domains.


Invisible said:
Hi folks.

I've written and re-written this message a few times now - hopefully this
time I'll actually hit [send]! Anyway, I work for a company with sites all
over the world, but the main site is (surprise) in the USA. We're just about
to all move over to Windows 2000 AD domains. I've been looking into Windows
2000, finding out how AD works, etc., for quite some time now. All was going
quite well... until I realised that the USA want all the domains in the same
forest.

Oh dear.

Now, I am *very* concerned about what will happen if we do indeed to this,
but I realise that there's nothing anyone on this list can actually do to
help me turn the USA guys into sensible intelligent people, so I will _try_
and keep my questions technical in nature... (This is the cause of the
rewrites!)

* Is it "best" to have an empty top-level domain, with the actual "stuff"
in the child domains? (We're planning on having a single tree - I think.)

* Do we actually need to have a GC at our UK site?

* If we do have a GC over here, does that mean that every time anyone at
any site on planet Earth changes their password, the new password is
replicated to our GC?

(My reason for asking: we have 30 users. The USA have 30,000. [Don't know
how many the other sites have.] It seems horrifically wasteful to force us
to store 30,000 user accounts that we're never going to use - not to mention
the monumental waste of network bandwidth.)

* I would imagine that the only members of the Enterprise Users group will
be people in the USA. Does that mean they have unlimited power to mess up
our domain? Is there anything we can do to stop them? (Or do we just have to
hope they leave us alone?)

I'm also worried about what this will do to our Exchange setup, but I
suppose I'll have to go ask in the Exchange group about that...

Thanks.
Click to expand...
 
Having an empty root domain has the following advantages
ability to add/remove child domains from the root easily
control access to the enterprise admins, schema admins group
Click to expand...

Right. OK...
If you will be using E2k, E2k3 and have exchange servers in the UK,then a
LAN speed access to a GC will be required.
Click to expand...

Bugger. OK...
You may need a GC for other
applications, but for basic logins, providing the UK can contact a GC via
the network and you do not have E2k/E2k3, you do not need to have one
locally.
Click to expand...

Well since UK users will only be logging on to the UK domain... (Except for
once every 12 months or so when someone from the USA comes over here...) I
would have thought all that matters is that the UK workstations can contact
one of the DCs for the UK domain.
W2k3 has a new feature which will cache universal groups and this
can reduce some of the WAN traffic if a GC is not located locally.
Click to expand...

We're not using W2003. (Mercifally!)
I don't believe passwords are stored in the global catalog, so if this a big
issue and bandwidth is a real problem, the UK users could be in their own
domain.
Click to expand...

We plan to do this. As I said, the USA has 30,000 users as just one site.
The UK site has only 30 users. Plus the UK and USA sites have almost no need
to interact at all. Myself I'd prefer separate forests too, but it looks
like I won't get my way...
However, this may mean more hardware (e.g. distributing FSMO roles)
Click to expand...

How many servers do you need? We currently have an NT4 domain, consisting of
(obviously) 1 PDC and also 1 BDC. We also have 2 other servers to play with.
I think that gives us enough...
what about travelling users ?
Click to expand...

What about them?
You really need to assess the impact of p/w
changes on replication traffic.
Click to expand...

I definitely agree. Sounds like something that's bloody hard to test though!
The EA group is very powerful and should only contain members who really
understand AD and know your enterprise.
Click to expand...

OK, that rules out most of our IT staff then... (And probably me too, if
we're honest.)
Some rights can be removed from the
EA group, but be careful, as things can stop working if the wrong rights are
removed !
Click to expand...

Hmm... sounds waaay to dangerus... I think we'll just leave it alone!
I do not know your environment, but IMHO, a single forest and a single
domain (with an empty root) is the bet way to go. Start with the simplest
design and then find reasons why you should make extra forests or domains.
Click to expand...

Reasons? OK, well:
1. The USA has thousands of times more users than us.
2. The USA has no idea how we operate over here.
3. The USA don't seem to have a clue what they're doing. (I'm probably not
supposed to say that...)

Thanks.
 
Back
Top