Sign in with
Sign up | Sign in
Your question

AD design and flat AD network

Last response: in Windows 2000/NT
Share
Anonymous
July 6, 2005 7:30:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?

Thanks

More about : design flat network

Anonymous
July 7, 2005 12:12:52 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"DavidM" <DavidM@newsgroup.nospam> wrote in message
news:o nCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
> Can anyone point me to any article which discusses AD design and arguments
> in favor or not for having a flat AD (several offices across three
> continents but only one forest with a child domain) versus distributed
(one
> forest with several child domains)?

There are plenty on the Microsoft web site. (Google should find
them easily).

But there are fairly clear reasons for each decision:

Multiple Forests:

1) Complete autonomy
e.g. Separate companies with no desire to generally share
resources

2) Different schemas -- hard rule since the schema is forest wide

Multiple domains

1) Separation of control by different admins
(usually OUs can work here)

2) Mirror NT domains -- especially during upgrade/migration but
again OUs can usually handle this as some point in the process

3) Massive number of objects and... (AD was designed for
millions)
4) Control replication -- seldom needed since Sites do this in most
cases

But notice: #3 and #4 work together, as the number of objects
increases and the speed of the WAN lines goes down a domain
may need to be split where in another environement it would not.

5) Different "Security Account Policies" -- the Password, Lockout,
and Kerberos policies are PER Domain.

6) Geopolitical issues -- laws and practices that force separation
(this is really a variety of #1 but for perhaps different,
external
reasons.) It is also perhaps relevant to your multinational
situation.

7) Technically a need for SMTP replication will force separate
domains
as well, but this is so rare as to almost go unremarked.

Of course anything that forces separate forests also forces a separate
domain.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanks
>
>
July 7, 2005 5:48:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb,

Say for example you have a single AD domain that spans 5 countries, and each
country has multiple sites. What would you recomend for the best ADS&S
structure? (all sites in all countires have minimum 512k VPN links back to a
single site in the UK (much like the centre of a wheel with it's spokes),
the directory has no more than 20000 objects, nothing major changes) I've
seen some designs before that look very complicated, and some that look very
simple (like all sites being in the same site link for example)

I'm really interested in your thoughts/views on this one. A company I work
for is about to roll out AD across the globe, as explained roughly above.
Would be good to hear how you would tackle it.


"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
> "DavidM" <DavidM@newsgroup.nospam> wrote in message
> news:o nCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
> > Can anyone point me to any article which discusses AD design and
arguments
> > in favor or not for having a flat AD (several offices across three
> > continents but only one forest with a child domain) versus distributed
> (one
> > forest with several child domains)?
>
> There are plenty on the Microsoft web site. (Google should find
> them easily).
>
> But there are fairly clear reasons for each decision:
>
> Multiple Forests:
>
> 1) Complete autonomy
> e.g. Separate companies with no desire to generally share
> resources
>
> 2) Different schemas -- hard rule since the schema is forest wide
>
> Multiple domains
>
> 1) Separation of control by different admins
> (usually OUs can work here)
>
> 2) Mirror NT domains -- especially during upgrade/migration but
> again OUs can usually handle this as some point in the process
>
> 3) Massive number of objects and... (AD was designed for
> millions)
> 4) Control replication -- seldom needed since Sites do this in
most
> cases
>
> But notice: #3 and #4 work together, as the number of objects
> increases and the speed of the WAN lines goes down a domain
> may need to be split where in another environement it would not.
>
> 5) Different "Security Account Policies" -- the Password, Lockout,
> and Kerberos policies are PER Domain.
>
> 6) Geopolitical issues -- laws and practices that force separation
> (this is really a variety of #1 but for perhaps different,
> external
> reasons.) It is also perhaps relevant to your multinational
> situation.
>
> 7) Technically a need for SMTP replication will force separate
> domains
> as well, but this is so rare as to almost go unremarked.
>
> Of course anything that forces separate forests also forces a separate
> domain.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > Thanks
> >
> >
>
>
Related resources
Anonymous
July 7, 2005 5:48:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Say for example you have a single AD domain that spans 5 countries, and
each
> country has multiple sites. What would you recomend for the best ADS&S
> structure? (all sites in all countires have minimum 512k VPN links back to
a
> single site in the UK (much like the centre of a wheel with it's spokes),
> the directory has no more than 20000 objects, nothing major changes) I've
> seen some designs before that look very complicated, and some that look
very
> simple (like all sites being in the same site link for example)

More than 2 Sites in the same Site Link is a concept that is commonly
misunderstand.

All that this does is give the Sites a link between each pair that shares
the three (essential) configuration parameters:

1) Cost
2) Schedule
3) Frequency

It is just a convenient way to say that all (5) sites are equally connected,
or
rather should be treated as if they were.

It would seem more accurate with a single hub site to create a Site Link
with the hub and each of the other sites.

> I'm really interested in your thoughts/views on this one. A company I
work
> for is about to roll out AD across the globe, as explained roughly above.
> Would be good to hear how you would tackle it.

Simple. As simple as possible and no simpler.

But much depends on the current setups, even the countries, and the
actual requirements as referenced against the rules I provided you
above for deciding Domain and Forest counts.

My first assumption is 1 domain per company until proven wrong (or
rather inadequate).

With multiple countries involved I usually modify this to 1 domain per
company OR per country with a single forest until proven inadequate.

Germany for instance has (had?) some odd "unwritten laws" about
local management of companies that operate within Germany.

(This was mentioned by the Microsoft AD designers back when they
designed the Microsoft European domains.)

You may call me if you wish.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"ade" <someone@nowhere.com> wrote in message
news:o 6gjfIvgFHA.3316@TK2MSFTNGP14.phx.gbl...
> Herb,
>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
> > "DavidM" <DavidM@newsgroup.nospam> wrote in message
> > news:o nCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
> > > Can anyone point me to any article which discusses AD design and
> arguments
> > > in favor or not for having a flat AD (several offices across three
> > > continents but only one forest with a child domain) versus distributed
> > (one
> > > forest with several child domains)?
> >
> > There are plenty on the Microsoft web site. (Google should find
> > them easily).
> >
> > But there are fairly clear reasons for each decision:
> >
> > Multiple Forests:
> >
> > 1) Complete autonomy
> > e.g. Separate companies with no desire to generally share
> > resources
> >
> > 2) Different schemas -- hard rule since the schema is forest
wide
> >
> > Multiple domains
> >
> > 1) Separation of control by different admins
> > (usually OUs can work here)
> >
> > 2) Mirror NT domains -- especially during upgrade/migration but
> > again OUs can usually handle this as some point in the
process
> >
> > 3) Massive number of objects and... (AD was designed for
> > millions)
> > 4) Control replication -- seldom needed since Sites do this in
> most
> > cases
> >
> > But notice: #3 and #4 work together, as the number of objects
> > increases and the speed of the WAN lines goes down a domain
> > may need to be split where in another environement it would not.
> >
> > 5) Different "Security Account Policies" -- the Password,
Lockout,
> > and Kerberos policies are PER Domain.
> >
> > 6) Geopolitical issues -- laws and practices that force
separation
> > (this is really a variety of #1 but for perhaps different,
> > external
> > reasons.) It is also perhaps relevant to your multinational
> > situation.
> >
> > 7) Technically a need for SMTP replication will force separate
> > domains
> > as well, but this is so rare as to almost go unremarked.
> >
> > Of course anything that forces separate forests also forces a separate
> > domain.
> >
> > --
> > Herb Martin, MCSE, MVP
> > Accelerated MCSE
> > http://www.LearnQuick.Com
> > [phone number on web site]
> >
> > >
> > > Thanks
> > >
> > >
> >
> >
>
>
July 8, 2005 2:20:54 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb,

Thankyou for your reply - much appreciated and useful.

The company is more of a 'group' of companies preparing to harmonise. Some
VPN tunnels between the various countries and the UK are starting to be
built. Most of the network services i.e. exchange, oralce etc will be
hosted from of the UK. All IT staff will eventually become part of an
international team : )

Thanks for the offer to call aswell, I guess your a busy guy, and in my
opinion you do enough with your contributions here without me calling. But
thanks again all the same.

Cheers.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23QN2diwgFHA.2916@TK2MSFTNGP14.phx.gbl...
>> Say for example you have a single AD domain that spans 5 countries, and
> each
>> country has multiple sites. What would you recomend for the best ADS&S
>> structure? (all sites in all countires have minimum 512k VPN links back
>> to
> a
>> single site in the UK (much like the centre of a wheel with it's spokes),
>> the directory has no more than 20000 objects, nothing major changes)
>> I've
>> seen some designs before that look very complicated, and some that look
> very
>> simple (like all sites being in the same site link for example)
>
> More than 2 Sites in the same Site Link is a concept that is commonly
> misunderstand.
>
> All that this does is give the Sites a link between each pair that shares
> the three (essential) configuration parameters:
>
> 1) Cost
> 2) Schedule
> 3) Frequency
>
> It is just a convenient way to say that all (5) sites are equally
> connected,
> or
> rather should be treated as if they were.
>
> It would seem more accurate with a single hub site to create a Site Link
> with the hub and each of the other sites.
>
>> I'm really interested in your thoughts/views on this one. A company I
> work
>> for is about to roll out AD across the globe, as explained roughly above.
>> Would be good to hear how you would tackle it.
>
> Simple. As simple as possible and no simpler.
>
> But much depends on the current setups, even the countries, and the
> actual requirements as referenced against the rules I provided you
> above for deciding Domain and Forest counts.
>
> My first assumption is 1 domain per company until proven wrong (or
> rather inadequate).
>
> With multiple countries involved I usually modify this to 1 domain per
> company OR per country with a single forest until proven inadequate.
>
> Germany for instance has (had?) some odd "unwritten laws" about
> local management of companies that operate within Germany.
>
> (This was mentioned by the Microsoft AD designers back when they
> designed the Microsoft European domains.)
>
> You may call me if you wish.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> "ade" <someone@nowhere.com> wrote in message
> news:o 6gjfIvgFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Herb,
>>
>>
>>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
>> > "DavidM" <DavidM@newsgroup.nospam> wrote in message
>> > news:o nCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
>> > > Can anyone point me to any article which discusses AD design and
>> arguments
>> > > in favor or not for having a flat AD (several offices across three
>> > > continents but only one forest with a child domain) versus
>> > > distributed
>> > (one
>> > > forest with several child domains)?
>> >
>> > There are plenty on the Microsoft web site. (Google should find
>> > them easily).
>> >
>> > But there are fairly clear reasons for each decision:
>> >
>> > Multiple Forests:
>> >
>> > 1) Complete autonomy
>> > e.g. Separate companies with no desire to generally share
>> > resources
>> >
>> > 2) Different schemas -- hard rule since the schema is forest
> wide
>> >
>> > Multiple domains
>> >
>> > 1) Separation of control by different admins
>> > (usually OUs can work here)
>> >
>> > 2) Mirror NT domains -- especially during upgrade/migration but
>> > again OUs can usually handle this as some point in the
> process
>> >
>> > 3) Massive number of objects and... (AD was designed for
>> > millions)
>> > 4) Control replication -- seldom needed since Sites do this in
>> most
>> > cases
>> >
>> > But notice: #3 and #4 work together, as the number of objects
>> > increases and the speed of the WAN lines goes down a domain
>> > may need to be split where in another environement it would
>> > not.
>> >
>> > 5) Different "Security Account Policies" -- the Password,
> Lockout,
>> > and Kerberos policies are PER Domain.
>> >
>> > 6) Geopolitical issues -- laws and practices that force
> separation
>> > (this is really a variety of #1 but for perhaps different,
>> > external
>> > reasons.) It is also perhaps relevant to your
>> > multinational
>> > situation.
>> >
>> > 7) Technically a need for SMTP replication will force separate
>> > domains
>> > as well, but this is so rare as to almost go unremarked.
>> >
>> > Of course anything that forces separate forests also forces a separate
>> > domain.
>> >
>> > --
>> > Herb Martin, MCSE, MVP
>> > Accelerated MCSE
>> > http://www.LearnQuick.Com
>> > [phone number on web site]
>> >
>> > >
>> > > Thanks
>> > >
>> > >
>> >
>> >
>>
>>
>
>
Anonymous
July 8, 2005 2:42:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ade" <someone@nowhere.com> wrote in message
news:o JH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
> Herb,
>
> Thankyou for your reply - much appreciated and useful.
>
> The company is more of a 'group' of companies preparing to harmonise.
Some
> VPN tunnels between the various countries and the UK are starting to be
> built. Most of the network services i.e. exchange, oralce etc will be
> hosted from of the UK. All IT staff will eventually become part of an
> international team : )

This does sound like multiple domains on first glance.

It may not be "per country" though but rather "per operating
unit/company" since they are separate companies and their
might be much site overlap.

Sites cover WAN issues well. Domains are much more about
authentiction-sharing and span-of-control (admin) issues.

> Thanks for the offer to call aswell, I guess your a busy guy, and in my
> opinion you do enough with your contributions here without me calling.
But
> thanks again all the same.

Ok. (I will charge you if it gets excessive <grin> but I do like
solving problems and helping people.)
July 8, 2005 3:25:23 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi again Herb,

They are different operating units at present, but are in the process of all
joining and singing out of the same kym book, as it were.

I think the single domain will work for us, as we encourage trust between
staff memebers, and can easily delegate out admin tasks per OU if needed.

Thanks for you input, I think perhaps either the hub strategy for ADS&S you
mentioned will work for us, or just having one site link may aswell. All
the sites will have permanent connectivity, and as I mentioned, the
directory is not huge and never has any 'major' changes.

Thanks for you help again mate, if I lived in the states I'd be tempted to
do your course.



"Herb Martin" <news@LearnQuick.com> wrote in message
news:eBmRcA3gFHA.2904@tk2msftngp13.phx.gbl...
> "ade" <someone@nowhere.com> wrote in message
> news:o JH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
> > Herb,
> >
> > Thankyou for your reply - much appreciated and useful.
> >
> > The company is more of a 'group' of companies preparing to harmonise.
> Some
> > VPN tunnels between the various countries and the UK are starting to be
> > built. Most of the network services i.e. exchange, oralce etc will be
> > hosted from of the UK. All IT staff will eventually become part of an
> > international team : )
>
> This does sound like multiple domains on first glance.
>
> It may not be "per country" though but rather "per operating
> unit/company" since they are separate companies and their
> might be much site overlap.
>
> Sites cover WAN issues well. Domains are much more about
> authentiction-sharing and span-of-control (admin) issues.
>
> > Thanks for the offer to call aswell, I guess your a busy guy, and in my
> > opinion you do enough with your contributions here without me calling.
> But
> > thanks again all the same.
>
> Ok. (I will charge you if it gets excessive <grin> but I do like
> solving problems and helping people.)
>
>
Anonymous
July 8, 2005 3:25:24 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ade" <someone@nowhere.com> wrote in message
news:uKnKdd6gFHA.1480@TK2MSFTNGP10.phx.gbl...
> Hi again Herb,
>
> They are different operating units at present, but are in the process of
all
> joining and singing out of the same kym book, as it were.
>
> I think the single domain will work for us, as we encourage trust between
> staff memebers, and can easily delegate out admin tasks per OU if needed.
>
> Thanks for you input, I think perhaps either the hub strategy for ADS&S
you
> mentioned will work for us, or just having one site link may aswell. All
> the sites will have permanent connectivity, and as I mentioned, the
> directory is not huge and never has any 'major' changes.
>
> Thanks for you help again mate, if I lived in the states I'd be tempted to
> do your course.

Normally the site links should MATCH your physical WAN lines.

If it is a hub, you likely should hub out the sites. (Otherwise you get
strange connections when that isn't proper or ideal.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eBmRcA3gFHA.2904@tk2msftngp13.phx.gbl...
> > "ade" <someone@nowhere.com> wrote in message
> > news:o JH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
> > > Herb,
> > >
> > > Thankyou for your reply - much appreciated and useful.
> > >
> > > The company is more of a 'group' of companies preparing to harmonise.
> > Some
> > > VPN tunnels between the various countries and the UK are starting to
be
> > > built. Most of the network services i.e. exchange, oralce etc will be
> > > hosted from of the UK. All IT staff will eventually become part of an
> > > international team : )
> >
> > This does sound like multiple domains on first glance.
> >
> > It may not be "per country" though but rather "per operating
> > unit/company" since they are separate companies and their
> > might be much site overlap.
> >
> > Sites cover WAN issues well. Domains are much more about
> > authentiction-sharing and span-of-control (admin) issues.
> >
> > > Thanks for the offer to call aswell, I guess your a busy guy, and in
my
> > > opinion you do enough with your contributions here without me calling.
> > But
> > > thanks again all the same.
> >
> > Ok. (I will charge you if it gets excessive <grin> but I do like
> > solving problems and helping people.)
> >
> >
>
>
!