Sign in with
Sign up | Sign in
Your question

Active Directory in a huge single forest

Last response: in Windows 2000/NT
Share
Anonymous
January 26, 2005 12:07:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I just got asked to provide a 'worst-case' report for our enterprise
active directory.

The architecture chosen was a single forest/multiple domain model. At
that time, that it was MS was recommending for enterprises. Since then
that recommendation has changed, but this is already in production and
migration has started. Win2K servers are the current infrastructure
servers (DC', FSMO's, etc.) Eventually we are talking 50000+
workstations in this forest.

For reasons that I won't get into here, there are/will be 2000+ domain
controllers spread across the multiple domains, spread all over the
world.

Reading the best practices recommendations for AD recovery published by
Microsoft, it lists in its recovery steps that you must switch off
every DC. You can well see that this would be a significant impact,
with business continuity implications.

Now there are mitigating factors: Only 3 enterprise admins, very
strenuous change control and testing for the schema (Microsoft called
it one of the best implementations it has seen). MS stated that a full
forest meltdown has only occured three times, all related to poor
planning and implementation.

I guess what I am asking is, do you see anything in Windows 2003 that
would mitigate this? A migration is planned but not in the near future.
Is there anything (high-level) that we can do right now to reduce the
(miniscule) risk even further? A cost-benefit analysis was performed on
migrating to a multiple forest model, but this would cost more than the
current NT-> 2000/XP migration that we are going through right now.

I know my questions are pretty broad, just a good discussion on this
subject would be very helpful.

Thanks,
Anonymous
January 26, 2005 11:07:58 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<jfprieur@gmail.com> wrote in message
news:1106759229.170064.161300@c13g2000cwb.googlegroups.com...
> Hello,
>
> I just got asked to provide a 'worst-case' report for our enterprise
> active directory.
>
> The architecture chosen was a single forest/multiple domain model. At
> that time, that it was MS was recommending for enterprises. Since then
> that recommendation has changed, but this is already in production and
> migration has started.

It is still correct in many instances.

> Win2K servers are the current infrastructure
> servers (DC', FSMO's, etc.) Eventually we are talking 50000+
> workstations in this forest.

That is not "huge" -- it's on the low side of large for AD.

> For reasons that I won't get into here, there are/will be 2000+ domain
> controllers spread across the multiple domains, spread all over the
> world.
>
> Reading the best practices recommendations for AD recovery published by
> Microsoft, it lists in its recovery steps that you must switch off
> every DC. You can well see that this would be a significant impact,
> with business continuity implications.

What KB? Most people never have to do that.

> Now there are mitigating factors: Only 3 enterprise admins, very
> strenuous change control and testing for the schema (Microsoft called
> it one of the best implementations it has seen). MS stated that a full
> forest meltdown has only occured three times, all related to poor
> planning and implementation.
>
> I guess what I am asking is, do you see anything in Windows 2003 that
> would mitigate this? A migration is planned but not in the near future.

Improved replication is one of the main improvements of
Win2003.

> Is there anything (high-level) that we can do right now to reduce the
> (miniscule) risk even further? A cost-benefit analysis was performed on
> migrating to a multiple forest model, but this would cost more than the
> current NT-> 2000/XP migration that we are going through right now.

You are likely better off the way you are IF it is currently
replicating with no significant problems (I would bet.)

> I know my questions are pretty broad, just a good discussion on this
> subject would be very helpful.

What sort of WANS?

Why so many DCs?

How many Sites?

How are your Site Links and Site Link Bridge (groups) setup?


--
Herb Martin


<jfprieur@gmail.com> wrote in message
news:1106759229.170064.161300@c13g2000cwb.googlegroups.com...
> Hello,
>
> I just got asked to provide a 'worst-case' report for our enterprise
> active directory.
>
> The architecture chosen was a single forest/multiple domain model. At
> that time, that it was MS was recommending for enterprises. Since then
> that recommendation has changed, but this is already in production and
> migration has started. Win2K servers are the current infrastructure
> servers (DC', FSMO's, etc.) Eventually we are talking 50000+
> workstations in this forest.
>
> For reasons that I won't get into here, there are/will be 2000+ domain
> controllers spread across the multiple domains, spread all over the
> world.
>
> Reading the best practices recommendations for AD recovery published by
> Microsoft, it lists in its recovery steps that you must switch off
> every DC. You can well see that this would be a significant impact,
> with business continuity implications.
>
> Now there are mitigating factors: Only 3 enterprise admins, very
> strenuous change control and testing for the schema (Microsoft called
> it one of the best implementations it has seen). MS stated that a full
> forest meltdown has only occured three times, all related to poor
> planning and implementation.
>
> I guess what I am asking is, do you see anything in Windows 2003 that
> would mitigate this? A migration is planned but not in the near future.
> Is there anything (high-level) that we can do right now to reduce the
> (miniscule) risk even further? A cost-benefit analysis was performed on
> migrating to a multiple forest model, but this would cost more than the
> current NT-> 2000/XP migration that we are going through right now.
>
> I know my questions are pretty broad, just a good discussion on this
> subject would be very helpful.
>
> Thanks,
>
!