Matt,
There is usually no reason to have multiple Domains. Now, before everyone
jumps on me for this very general comment, let me get into more detail!
In most situations a single domain model is desirable. Now, you can have an
empty root if you so desire. Microsoft is actually moving away from
suggesting this now. What do you benefit from having a single domain model?
Ease of administration, reduction in overhead ( and hardware ), etc. etc.
etc.
So, what if I have one domain but have 17 different physical locations? Not
a problem. You simply make use of Active Directory Sites and Services. So,
you keep your single domain but set up the 17 different physical locations
as Sites, create the appropriate Subnets and then associate each Subnet with
the correct Site. You would have both Intrasite Replication ( between the
Domain Controllers that are located in each Site ) and Intersite Replication
( between each Bridgehead Server in each Site - or however the KCC, the
Knowledge Consistency Checker, and its little buddy the ISTG, the Intersite
Topology Generator, configure things ). Do you need a Domain Controller in
each Site? Well, not really but you should consider it. There are many who
would say that you should have a DC in each Site. I am generally one of
those people. But is it a technical requirement? No. In a situation where
you have three users in a Site you do not necessarily need to have a DC in
that Site. But that is open for discussion and I am simply providing
****very general**** considerations. One thing that you would want to
consider having would be a Site-to-Site VPN between each location *IF* you
have a public connection between each remote location and the HQ. So, if
you have a private T1 between each remote Site and the HQ you would probably
not need to have the Site-to-Site VPN ( aka Firewall-to-Firewall VPN ).
SonicWall has some nice Firewalls. I do not even need to mention Cisco's
PIX. There are others as well.
What do Sites afford you? Well, besides the obvious, Sites afford you two
things mainly: controlling Active Directory Replication and assisting user
logons. You see, the way things are supposed to work ( and they do not
always due to 'generic' records ) is that each WIN2000 and WIN XP Pro system
is supposed to authenticate against a DC in it's Site ( based on IP
Address - thus the need to set up the Subnets in the ADSS MMC and then
associate each Subnet with the correct Site ). If a DC is not available in
that Site then it will look for another 'closest' DC and use that one.
Sometimes this is over a WAN link. You do not really want this generally
speaking.
So, what does this all have with a single domain model vs. the multiple
domains that you currently have? Pretty much everything. A lot of really
good WINNT 4.0 Admins who are not familiar with WIN2000 Active Directory
will not make use of the new features that Active Directory offers and
continue with the NT 4.0 way. They are still in the WINNT 4.0 mode of
thinking. This is a bit limiting and leads to a less than efficient way of
doing things. Generally speaking.
So, how would you go about this? Well, you did not mention is you are
already at WIN2000 or still in WINNT 4.0. If you are in WINNT 4.0 then you
could create a WIN2000 forest, create a trust between WIN2000 and WINNT 4.0
and use the Active Directory Migration Tool ( ADMT v2.0 ). This would be
the beginning of a very large undertaking - assuming that you have many
WINNT 4.0 domains to collapse.
Exchange is another issue. That would be best posted in the Exchange
2000.Admin news group.
HTH,
Cary