Community Pick: Many members of our community have endorsed this article.

Active Directory Domain Consolidation (Part I – Why you need it)

Where did all of these domains come from?  Why do we need so many domains?  What is the cost of administering each of our domains?  Is there a way around this?

So, first things first.  Forget about everything you have at the moment.  What would the ideal Architecture look like?  The ideal goal is “Single Forest, Single Domain”.  Any decision to deviate from this ideal goal should be thoroughly questioned as the costs and technical complexity of a multi-forest or multi-domain environment are significant and generally lead to technical catastrophes without a roc solid Operations Framework.  Another way of stating Single forest, Single Domain might be the following “Provide a secure, fault tolerant, high performance IT infrastructure to all geographic areas of the organization for as little cost a possible.”  Strong statement?  It’s the truth…

What do you really need?  Here are some ideas which include cognisance of your branch offices:

Base Services
•Directory services
•DHCP services
•Name resolution services
•File services
•Print services
•Base client services
•Base management services
Extended Services
•Application services
•Web caching
•Messaging services
•Collaboration services
•Extended management services
•Extended monitoring services
•Branch network access services
Don’t confuse the Physical Architecture with the Logical Architecture.  The Physical Architecture is merely where you place your servers, while the Logical Architecture is “what will run on the Servers once deployed”.  I.e.  which Domain/Forest.

While we won’t spend too much time on the Physical Architecture at this time, in summary, you have 3 options:

Centralised (Ideal) – all servers are in the main Data Center – make sure your WAN is reliable here.

Distributed (try to avoid this) – Servers are spread out throughout your organisation.  Tolerant of long term WAN Outages.

Hybrid – Critical services are managed centrally and delegation of rights and permissions are given to remote IT Administrators.  Tolerant of occasional WAN outages.  You may want to consider Read Only Domain Controllers (RODCs) in this environment.

Logical Design Decisions for Forest/Domain design (forget what you currently have):

Here is a test to determine if you need more than one forest or more than one domain:

Forest design:

The variables for Forest design are (only) the following:

•Administrative Overhead (the fewer, the less overhead)
•Isolation Requirements (only if absolute isolation is required.  E.g. subsidiary is purchased with the plan on reselling the subsidiary in the near future).
•Scalability (more than 100’000 users or more than 5’000 sites)
Domain Design:

The variables for Domain Design are (only) the following:

•Administrative Overhead (Single domain has less Administrative Overhead and Services (DNS, Replication, WINS etc) are managed centrally)
•Number of Users per Domain (100,000 users or more may make you consider multiple domains to reduce replication)
•WAN Link speeds (19.2Kbps is sufficient to support 100,000 users if AD is allowed to consume 1% of this link [0.192Kbps])
•Number of Domain Controllers (1,200 based on FRS Replication.  However, Server 2008 DFS overcomes this limit.

I have had many, many design workshops around this topic.  So far, the results are always the same.  Single Domain, Single Forest (unless you don’t pass the above test).

So, now that we are on the same page, Part II will guide you into how to go about achieving the ideal Active Directory Logical Architecture (Single Domain, Single Forest Consolidation).


Designing the Branch Office

Designing the Logical Structure for AD DS (Active Directory Domain Services)

Hope this helps,


Comments (1)

unable to find part2

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.