AD design and flat AD network

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Can anyone point me to any article which discusses AD design and arguments
in favor or not for having a flat AD (several offices across three
continents but only one forest with a child domain) versus distributed (one
forest with several child domains)?

Thanks
7 answers Last reply
More about design flat network
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "DavidM" <DavidM@newsgroup.nospam> wrote in message
    news:OnCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
    > Can anyone point me to any article which discusses AD design and arguments
    > in favor or not for having a flat AD (several offices across three
    > continents but only one forest with a child domain) versus distributed
    (one
    > forest with several child domains)?

    There are plenty on the Microsoft web site. (Google should find
    them easily).

    But there are fairly clear reasons for each decision:

    Multiple Forests:

    1) Complete autonomy
    e.g. Separate companies with no desire to generally share
    resources

    2) Different schemas -- hard rule since the schema is forest wide

    Multiple domains

    1) Separation of control by different admins
    (usually OUs can work here)

    2) Mirror NT domains -- especially during upgrade/migration but
    again OUs can usually handle this as some point in the process

    3) Massive number of objects and... (AD was designed for
    millions)
    4) Control replication -- seldom needed since Sites do this in most
    cases

    But notice: #3 and #4 work together, as the number of objects
    increases and the speed of the WAN lines goes down a domain
    may need to be split where in another environement it would not.

    5) Different "Security Account Policies" -- the Password, Lockout,
    and Kerberos policies are PER Domain.

    6) Geopolitical issues -- laws and practices that force separation
    (this is really a variety of #1 but for perhaps different,
    external
    reasons.) It is also perhaps relevant to your multinational
    situation.

    7) Technically a need for SMTP replication will force separate
    domains
    as well, but this is so rare as to almost go unremarked.

    Of course anything that forces separate forests also forces a separate
    domain.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
    > Thanks
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Herb,

    Say for example you have a single AD domain that spans 5 countries, and each
    country has multiple sites. What would you recomend for the best ADS&S
    structure? (all sites in all countires have minimum 512k VPN links back to a
    single site in the UK (much like the centre of a wheel with it's spokes),
    the directory has no more than 20000 objects, nothing major changes) I've
    seen some designs before that look very complicated, and some that look very
    simple (like all sites being in the same site link for example)

    I'm really interested in your thoughts/views on this one. A company I work
    for is about to roll out AD across the globe, as explained roughly above.
    Would be good to hear how you would tackle it.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
    > "DavidM" <DavidM@newsgroup.nospam> wrote in message
    > news:OnCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
    > > Can anyone point me to any article which discusses AD design and
    arguments
    > > in favor or not for having a flat AD (several offices across three
    > > continents but only one forest with a child domain) versus distributed
    > (one
    > > forest with several child domains)?
    >
    > There are plenty on the Microsoft web site. (Google should find
    > them easily).
    >
    > But there are fairly clear reasons for each decision:
    >
    > Multiple Forests:
    >
    > 1) Complete autonomy
    > e.g. Separate companies with no desire to generally share
    > resources
    >
    > 2) Different schemas -- hard rule since the schema is forest wide
    >
    > Multiple domains
    >
    > 1) Separation of control by different admins
    > (usually OUs can work here)
    >
    > 2) Mirror NT domains -- especially during upgrade/migration but
    > again OUs can usually handle this as some point in the process
    >
    > 3) Massive number of objects and... (AD was designed for
    > millions)
    > 4) Control replication -- seldom needed since Sites do this in
    most
    > cases
    >
    > But notice: #3 and #4 work together, as the number of objects
    > increases and the speed of the WAN lines goes down a domain
    > may need to be split where in another environement it would not.
    >
    > 5) Different "Security Account Policies" -- the Password, Lockout,
    > and Kerberos policies are PER Domain.
    >
    > 6) Geopolitical issues -- laws and practices that force separation
    > (this is really a variety of #1 but for perhaps different,
    > external
    > reasons.) It is also perhaps relevant to your multinational
    > situation.
    >
    > 7) Technically a need for SMTP replication will force separate
    > domains
    > as well, but this is so rare as to almost go unremarked.
    >
    > Of course anything that forces separate forests also forces a separate
    > domain.
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    > >
    > > Thanks
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Say for example you have a single AD domain that spans 5 countries, and
    each
    > country has multiple sites. What would you recomend for the best ADS&S
    > structure? (all sites in all countires have minimum 512k VPN links back to
    a
    > single site in the UK (much like the centre of a wheel with it's spokes),
    > the directory has no more than 20000 objects, nothing major changes) I've
    > seen some designs before that look very complicated, and some that look
    very
    > simple (like all sites being in the same site link for example)

    More than 2 Sites in the same Site Link is a concept that is commonly
    misunderstand.

    All that this does is give the Sites a link between each pair that shares
    the three (essential) configuration parameters:

    1) Cost
    2) Schedule
    3) Frequency

    It is just a convenient way to say that all (5) sites are equally connected,
    or
    rather should be treated as if they were.

    It would seem more accurate with a single hub site to create a Site Link
    with the hub and each of the other sites.

    > I'm really interested in your thoughts/views on this one. A company I
    work
    > for is about to roll out AD across the globe, as explained roughly above.
    > Would be good to hear how you would tackle it.

    Simple. As simple as possible and no simpler.

    But much depends on the current setups, even the countries, and the
    actual requirements as referenced against the rules I provided you
    above for deciding Domain and Forest counts.

    My first assumption is 1 domain per company until proven wrong (or
    rather inadequate).

    With multiple countries involved I usually modify this to 1 domain per
    company OR per country with a single forest until proven inadequate.

    Germany for instance has (had?) some odd "unwritten laws" about
    local management of companies that operate within Germany.

    (This was mentioned by the Microsoft AD designers back when they
    designed the Microsoft European domains.)

    You may call me if you wish.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    "ade" <someone@nowhere.com> wrote in message
    news:O6gjfIvgFHA.3316@TK2MSFTNGP14.phx.gbl...
    > Herb,
    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
    > > "DavidM" <DavidM@newsgroup.nospam> wrote in message
    > > news:OnCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
    > > > Can anyone point me to any article which discusses AD design and
    > arguments
    > > > in favor or not for having a flat AD (several offices across three
    > > > continents but only one forest with a child domain) versus distributed
    > > (one
    > > > forest with several child domains)?
    > >
    > > There are plenty on the Microsoft web site. (Google should find
    > > them easily).
    > >
    > > But there are fairly clear reasons for each decision:
    > >
    > > Multiple Forests:
    > >
    > > 1) Complete autonomy
    > > e.g. Separate companies with no desire to generally share
    > > resources
    > >
    > > 2) Different schemas -- hard rule since the schema is forest
    wide
    > >
    > > Multiple domains
    > >
    > > 1) Separation of control by different admins
    > > (usually OUs can work here)
    > >
    > > 2) Mirror NT domains -- especially during upgrade/migration but
    > > again OUs can usually handle this as some point in the
    process
    > >
    > > 3) Massive number of objects and... (AD was designed for
    > > millions)
    > > 4) Control replication -- seldom needed since Sites do this in
    > most
    > > cases
    > >
    > > But notice: #3 and #4 work together, as the number of objects
    > > increases and the speed of the WAN lines goes down a domain
    > > may need to be split where in another environement it would not.
    > >
    > > 5) Different "Security Account Policies" -- the Password,
    Lockout,
    > > and Kerberos policies are PER Domain.
    > >
    > > 6) Geopolitical issues -- laws and practices that force
    separation
    > > (this is really a variety of #1 but for perhaps different,
    > > external
    > > reasons.) It is also perhaps relevant to your multinational
    > > situation.
    > >
    > > 7) Technically a need for SMTP replication will force separate
    > > domains
    > > as well, but this is so rare as to almost go unremarked.
    > >
    > > Of course anything that forces separate forests also forces a separate
    > > domain.
    > >
    > > --
    > > Herb Martin, MCSE, MVP
    > > Accelerated MCSE
    > > http://www.LearnQuick.Com
    > > [phone number on web site]
    > >
    > > >
    > > > Thanks
    > > >
    > > >
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Herb,

    Thankyou for your reply - much appreciated and useful.

    The company is more of a 'group' of companies preparing to harmonise. Some
    VPN tunnels between the various countries and the UK are starting to be
    built. Most of the network services i.e. exchange, oralce etc will be
    hosted from of the UK. All IT staff will eventually become part of an
    international team : )

    Thanks for the offer to call aswell, I guess your a busy guy, and in my
    opinion you do enough with your contributions here without me calling. But
    thanks again all the same.

    Cheers.

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23QN2diwgFHA.2916@TK2MSFTNGP14.phx.gbl...
    >> Say for example you have a single AD domain that spans 5 countries, and
    > each
    >> country has multiple sites. What would you recomend for the best ADS&S
    >> structure? (all sites in all countires have minimum 512k VPN links back
    >> to
    > a
    >> single site in the UK (much like the centre of a wheel with it's spokes),
    >> the directory has no more than 20000 objects, nothing major changes)
    >> I've
    >> seen some designs before that look very complicated, and some that look
    > very
    >> simple (like all sites being in the same site link for example)
    >
    > More than 2 Sites in the same Site Link is a concept that is commonly
    > misunderstand.
    >
    > All that this does is give the Sites a link between each pair that shares
    > the three (essential) configuration parameters:
    >
    > 1) Cost
    > 2) Schedule
    > 3) Frequency
    >
    > It is just a convenient way to say that all (5) sites are equally
    > connected,
    > or
    > rather should be treated as if they were.
    >
    > It would seem more accurate with a single hub site to create a Site Link
    > with the hub and each of the other sites.
    >
    >> I'm really interested in your thoughts/views on this one. A company I
    > work
    >> for is about to roll out AD across the globe, as explained roughly above.
    >> Would be good to hear how you would tackle it.
    >
    > Simple. As simple as possible and no simpler.
    >
    > But much depends on the current setups, even the countries, and the
    > actual requirements as referenced against the rules I provided you
    > above for deciding Domain and Forest counts.
    >
    > My first assumption is 1 domain per company until proven wrong (or
    > rather inadequate).
    >
    > With multiple countries involved I usually modify this to 1 domain per
    > company OR per country with a single forest until proven inadequate.
    >
    > Germany for instance has (had?) some odd "unwritten laws" about
    > local management of companies that operate within Germany.
    >
    > (This was mentioned by the Microsoft AD designers back when they
    > designed the Microsoft European domains.)
    >
    > You may call me if you wish.
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    > "ade" <someone@nowhere.com> wrote in message
    > news:O6gjfIvgFHA.3316@TK2MSFTNGP14.phx.gbl...
    >> Herb,
    >>
    >>
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
    >> > "DavidM" <DavidM@newsgroup.nospam> wrote in message
    >> > news:OnCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
    >> > > Can anyone point me to any article which discusses AD design and
    >> arguments
    >> > > in favor or not for having a flat AD (several offices across three
    >> > > continents but only one forest with a child domain) versus
    >> > > distributed
    >> > (one
    >> > > forest with several child domains)?
    >> >
    >> > There are plenty on the Microsoft web site. (Google should find
    >> > them easily).
    >> >
    >> > But there are fairly clear reasons for each decision:
    >> >
    >> > Multiple Forests:
    >> >
    >> > 1) Complete autonomy
    >> > e.g. Separate companies with no desire to generally share
    >> > resources
    >> >
    >> > 2) Different schemas -- hard rule since the schema is forest
    > wide
    >> >
    >> > Multiple domains
    >> >
    >> > 1) Separation of control by different admins
    >> > (usually OUs can work here)
    >> >
    >> > 2) Mirror NT domains -- especially during upgrade/migration but
    >> > again OUs can usually handle this as some point in the
    > process
    >> >
    >> > 3) Massive number of objects and... (AD was designed for
    >> > millions)
    >> > 4) Control replication -- seldom needed since Sites do this in
    >> most
    >> > cases
    >> >
    >> > But notice: #3 and #4 work together, as the number of objects
    >> > increases and the speed of the WAN lines goes down a domain
    >> > may need to be split where in another environement it would
    >> > not.
    >> >
    >> > 5) Different "Security Account Policies" -- the Password,
    > Lockout,
    >> > and Kerberos policies are PER Domain.
    >> >
    >> > 6) Geopolitical issues -- laws and practices that force
    > separation
    >> > (this is really a variety of #1 but for perhaps different,
    >> > external
    >> > reasons.) It is also perhaps relevant to your
    >> > multinational
    >> > situation.
    >> >
    >> > 7) Technically a need for SMTP replication will force separate
    >> > domains
    >> > as well, but this is so rare as to almost go unremarked.
    >> >
    >> > Of course anything that forces separate forests also forces a separate
    >> > domain.
    >> >
    >> > --
    >> > Herb Martin, MCSE, MVP
    >> > Accelerated MCSE
    >> > http://www.LearnQuick.Com
    >> > [phone number on web site]
    >> >
    >> > >
    >> > > Thanks
    >> > >
    >> > >
    >> >
    >> >
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ade" <someone@nowhere.com> wrote in message
    news:OJH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
    > Herb,
    >
    > Thankyou for your reply - much appreciated and useful.
    >
    > The company is more of a 'group' of companies preparing to harmonise.
    Some
    > VPN tunnels between the various countries and the UK are starting to be
    > built. Most of the network services i.e. exchange, oralce etc will be
    > hosted from of the UK. All IT staff will eventually become part of an
    > international team : )

    This does sound like multiple domains on first glance.

    It may not be "per country" though but rather "per operating
    unit/company" since they are separate companies and their
    might be much site overlap.

    Sites cover WAN issues well. Domains are much more about
    authentiction-sharing and span-of-control (admin) issues.

    > Thanks for the offer to call aswell, I guess your a busy guy, and in my
    > opinion you do enough with your contributions here without me calling.
    But
    > thanks again all the same.

    Ok. (I will charge you if it gets excessive <grin> but I do like
    solving problems and helping people.)
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi again Herb,

    They are different operating units at present, but are in the process of all
    joining and singing out of the same kym book, as it were.

    I think the single domain will work for us, as we encourage trust between
    staff memebers, and can easily delegate out admin tasks per OU if needed.

    Thanks for you input, I think perhaps either the hub strategy for ADS&S you
    mentioned will work for us, or just having one site link may aswell. All
    the sites will have permanent connectivity, and as I mentioned, the
    directory is not huge and never has any 'major' changes.

    Thanks for you help again mate, if I lived in the states I'd be tempted to
    do your course.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:eBmRcA3gFHA.2904@tk2msftngp13.phx.gbl...
    > "ade" <someone@nowhere.com> wrote in message
    > news:OJH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
    > > Herb,
    > >
    > > Thankyou for your reply - much appreciated and useful.
    > >
    > > The company is more of a 'group' of companies preparing to harmonise.
    > Some
    > > VPN tunnels between the various countries and the UK are starting to be
    > > built. Most of the network services i.e. exchange, oralce etc will be
    > > hosted from of the UK. All IT staff will eventually become part of an
    > > international team : )
    >
    > This does sound like multiple domains on first glance.
    >
    > It may not be "per country" though but rather "per operating
    > unit/company" since they are separate companies and their
    > might be much site overlap.
    >
    > Sites cover WAN issues well. Domains are much more about
    > authentiction-sharing and span-of-control (admin) issues.
    >
    > > Thanks for the offer to call aswell, I guess your a busy guy, and in my
    > > opinion you do enough with your contributions here without me calling.
    > But
    > > thanks again all the same.
    >
    > Ok. (I will charge you if it gets excessive <grin> but I do like
    > solving problems and helping people.)
    >
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ade" <someone@nowhere.com> wrote in message
    news:uKnKdd6gFHA.1480@TK2MSFTNGP10.phx.gbl...
    > Hi again Herb,
    >
    > They are different operating units at present, but are in the process of
    all
    > joining and singing out of the same kym book, as it were.
    >
    > I think the single domain will work for us, as we encourage trust between
    > staff memebers, and can easily delegate out admin tasks per OU if needed.
    >
    > Thanks for you input, I think perhaps either the hub strategy for ADS&S
    you
    > mentioned will work for us, or just having one site link may aswell. All
    > the sites will have permanent connectivity, and as I mentioned, the
    > directory is not huge and never has any 'major' changes.
    >
    > Thanks for you help again mate, if I lived in the states I'd be tempted to
    > do your course.

    Normally the site links should MATCH your physical WAN lines.

    If it is a hub, you likely should hub out the sites. (Otherwise you get
    strange connections when that isn't proper or ideal.)

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:eBmRcA3gFHA.2904@tk2msftngp13.phx.gbl...
    > > "ade" <someone@nowhere.com> wrote in message
    > > news:OJH9AnzgFHA.2424@TK2MSFTNGP09.phx.gbl...
    > > > Herb,
    > > >
    > > > Thankyou for your reply - much appreciated and useful.
    > > >
    > > > The company is more of a 'group' of companies preparing to harmonise.
    > > Some
    > > > VPN tunnels between the various countries and the UK are starting to
    be
    > > > built. Most of the network services i.e. exchange, oralce etc will be
    > > > hosted from of the UK. All IT staff will eventually become part of an
    > > > international team : )
    > >
    > > This does sound like multiple domains on first glance.
    > >
    > > It may not be "per country" though but rather "per operating
    > > unit/company" since they are separate companies and their
    > > might be much site overlap.
    > >
    > > Sites cover WAN issues well. Domains are much more about
    > > authentiction-sharing and span-of-control (admin) issues.
    > >
    > > > Thanks for the offer to call aswell, I guess your a busy guy, and in
    my
    > > > opinion you do enough with your contributions here without me calling.
    > > But
    > > > thanks again all the same.
    > >
    > > Ok. (I will charge you if it gets excessive <grin> but I do like
    > > solving problems and helping people.)
    > >
    > >
    >
    >
Ask a new question

Read More

Domain Active Directory Windows