Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Herb,
Thankyou for your reply - much appreciated and useful.
The company is more of a 'group' of companies preparing to harmonise. Some
VPN tunnels between the various countries and the UK are starting to be
built. Most of the network services i.e. exchange, oralce etc will be
hosted from of the UK. All IT staff will eventually become part of an
international team : )
Thanks for the offer to call aswell, I guess your a busy guy, and in my
opinion you do enough with your contributions here without me calling. But
thanks again all the same.
Cheers.
"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23QN2diwgFHA.2916@TK2MSFTNGP14.phx.gbl...
>> Say for example you have a single AD domain that spans 5 countries, and
> each
>> country has multiple sites. What would you recomend for the best ADS&S
>> structure? (all sites in all countires have minimum 512k VPN links back
>> to
> a
>> single site in the UK (much like the centre of a wheel with it's spokes),
>> the directory has no more than 20000 objects, nothing major changes)
>> I've
>> seen some designs before that look very complicated, and some that look
> very
>> simple (like all sites being in the same site link for example)
>
> More than 2 Sites in the same Site Link is a concept that is commonly
> misunderstand.
>
> All that this does is give the Sites a link between each pair that shares
> the three (essential) configuration parameters:
>
> 1) Cost
> 2) Schedule
> 3) Frequency
>
> It is just a convenient way to say that all (5) sites are equally
> connected,
> or
> rather should be treated as if they were.
>
> It would seem more accurate with a single hub site to create a Site Link
> with the hub and each of the other sites.
>
>> I'm really interested in your thoughts/views on this one. A company I
> work
>> for is about to roll out AD across the globe, as explained roughly above.
>> Would be good to hear how you would tackle it.
>
> Simple. As simple as possible and no simpler.
>
> But much depends on the current setups, even the countries, and the
> actual requirements as referenced against the rules I provided you
> above for deciding Domain and Forest counts.
>
> My first assumption is 1 domain per company until proven wrong (or
> rather inadequate).
>
> With multiple countries involved I usually modify this to 1 domain per
> company OR per country with a single forest until proven inadequate.
>
> Germany for instance has (had?) some odd "unwritten laws" about
> local management of companies that operate within Germany.
>
> (This was mentioned by the Microsoft AD designers back when they
> designed the Microsoft European domains.)
>
> You may call me if you wish.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
>
http://www.LearnQuick.Com
> [phone number on web site]
>
> "ade" <someone@nowhere.com> wrote in message
> news:O6gjfIvgFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Herb,
>>
>>
>>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:%23Dt79EpgFHA.2852@TK2MSFTNGP15.phx.gbl...
>> > "DavidM" <DavidM@newsgroup.nospam> wrote in message
>> > news:OnCILpngFHA.3296@TK2MSFTNGP10.phx.gbl...
>> > > Can anyone point me to any article which discusses AD design and
>> arguments
>> > > in favor or not for having a flat AD (several offices across three
>> > > continents but only one forest with a child domain) versus
>> > > distributed
>> > (one
>> > > forest with several child domains)?
>> >
>> > There are plenty on the Microsoft web site. (Google should find
>> > them easily).
>> >
>> > But there are fairly clear reasons for each decision:
>> >
>> > Multiple Forests:
>> >
>> > 1) Complete autonomy
>> > e.g. Separate companies with no desire to generally share
>> > resources
>> >
>> > 2) Different schemas -- hard rule since the schema is forest
> wide
>> >
>> > Multiple domains
>> >
>> > 1) Separation of control by different admins
>> > (usually OUs can work here)
>> >
>> > 2) Mirror NT domains -- especially during upgrade/migration but
>> > again OUs can usually handle this as some point in the
> process
>> >
>> > 3) Massive number of objects and... (AD was designed for
>> > millions)
>> > 4) Control replication -- seldom needed since Sites do this in
>> most
>> > cases
>> >
>> > But notice: #3 and #4 work together, as the number of objects
>> > increases and the speed of the WAN lines goes down a domain
>> > may need to be split where in another environement it would
>> > not.
>> >
>> > 5) Different "Security Account Policies" -- the Password,
> Lockout,
>> > and Kerberos policies are PER Domain.
>> >
>> > 6) Geopolitical issues -- laws and practices that force
> separation
>> > (this is really a variety of #1 but for perhaps different,
>> > external
>> > reasons.) It is also perhaps relevant to your
>> > multinational
>> > situation.
>> >
>> > 7) Technically a need for SMTP replication will force separate
>> > domains
>> > as well, but this is so rare as to almost go unremarked.
>> >
>> > Of course anything that forces separate forests also forces a separate
>> > domain.
>> >
>> > --
>> > Herb Martin, MCSE, MVP
>> > Accelerated MCSE
>> >
http://www.LearnQuick.Com
>> > [phone number on web site]
>> >
>> > >
>> > > Thanks
>> > >
>> > >
>> >
>> >
>>
>>
>
>