Subdomains

[plumbsquareltd]

I am just beginning to create a network for my new company, and I would like
to get some opinions on subdomains. I am going to have anywhere from 40-100
remote facilities that will all be VPN into our corp HQ, and I am not sure
if I should break down geographic areas into subdomains or just add
additional domain controllers to the parent domain and place them in
seperate geographic areas. I am over my head at this point, and would like
to know what the real benefit is to the subdomain or if it really even makes
sense in my situation.

Thanks,

Randy Whitehead

 

[Herb Martin]

I am just beginning to create a network for my new company, and I would
like to get some opinions on subdomains. I am going to have anywhere from
40-100 remote facilities that will all be VPN into our corp HQ, and I am
not sure if I should break down geographic areas into subdomains or just
add additional domain controllers to the parent domain and place them in
seperate geographic areas.

It's impossible to say from such limited information --
and probably without a further discussion of the trade-offs
but here is a guide:

Assume ONE domain until you find positive reasons for
splitting it. Then weigh the advantages/need against the
costs and extra work.

I am over my head at this point, and would like to know what the real
benefit is to the subdomain or if it really even makes sense in my
situation.

Sites are designed to solve your main problem - to
control replication to remote locations.

Domains give other advantages that you don't indicate
are needed but in RARE cases domains are able to
assist in the control of replication but if your WANS
have reasonably available bandwidth and/or you have
a fairly small populatation (users/computers) Sites
will normally cover you.

Reasons for creating Domains include:

1) Complete Delegation of control (to other admins) or
to mirror NT structurs -- but USUALLY OUs will
cover these needs.

2) Massive number of objects vs. poor WAN Lines
(many books treat these separate but as the number
of users go UP and the WAN line speeds go DOWN
things get worse.) With high speed lines millions
of users are possible so don't think these are trivially
small limits.

3) Different security ACCOUNT policies -- Password,
Lockout, Kerberos -- these three are set at the DOMAIN
level (not OU or Site) only.

4) Miscellaneous -- anything that requires a different Forest
or different tree cause a separate domain by definition.

Sites allow Active Directory (administrators) to control replication
in ways that will answers most needs.

I am over my head at this point, and would like

You may need the (temporary) services of a competent consultant.