<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Active Directory Domain Consolidation (Part I – Why you need it)

Published on
15,306 Points
8,306 Views
Last Modified:
Approved
Community Pick
Where did all of these domains come from?  Why do we need so many domains?  What is the cost of administering each of our domains?  Is there a way around this?

So, first things first.  Forget about everything you have at the moment.  What would the ideal Architecture look like?  The ideal goal is “Single Forest, Single Domain”.  Any decision to deviate from this ideal goal should be thoroughly questioned as the costs and technical complexity of a multi-forest or multi-domain environment are significant and generally lead to technical catastrophes without a roc solid Operations Framework.  Another way of stating Single forest, Single Domain might be the following “Provide a secure, fault tolerant, high performance IT infrastructure to all geographic areas of the organization for as little cost a possible.”  Strong statement?  It’s the truth…

What do you really need?  Here are some ideas which include cognisance of your branch offices:

Base Services
•Directory services
•DHCP services
•Name resolution services
•File services
•Print services
•Base client services
•Base management services
Extended Services
•Application services
•Web caching
•Messaging services
•Collaboration services
•Extended management services
•Extended monitoring services
•Branch network access services
Don’t confuse the Physical Architecture with the Logical Architecture.  The Physical Architecture is merely where you place your servers, while the Logical Architecture is “what will run on the Servers once deployed”.  I.e.  which Domain/Forest.

While we won’t spend too much time on the Physical Architecture at this time, in summary, you have 3 options:

Centralised (Ideal) – all servers are in the main Data Center – make sure your WAN is reliable here.

Distributed (try to avoid this) – Servers are spread out throughout your organisation.  Tolerant of long term WAN Outages.

Hybrid – Critical services are managed centrally and delegation of rights and permissions are given to remote IT Administrators.  Tolerant of occasional WAN outages.  You may want to consider Read Only Domain Controllers (RODCs) in this environment.

Logical Design Decisions for Forest/Domain design (forget what you currently have):

Here is a test to determine if you need more than one forest or more than one domain:

Forest design:

The variables for Forest design are (only) the following:

•Administrative Overhead (the fewer, the less overhead)
•Isolation Requirements (only if absolute isolation is required.  E.g. subsidiary is purchased with the plan on reselling the subsidiary in the near future).
•Scalability (more than 100’000 users or more than 5’000 sites)
Domain Design:

The variables for Domain Design are (only) the following:

•Administrative Overhead (Single domain has less Administrative Overhead and Services (DNS, Replication, WINS etc) are managed centrally)
•Number of Users per Domain (100,000 users or more may make you consider multiple domains to reduce replication)
•WAN Link speeds (19.2Kbps is sufficient to support 100,000 users if AD is allowed to consume 1% of this link [0.192Kbps])
•Number of Domain Controllers (1,200 based on FRS Replication.  However, Server 2008 DFS overcomes this limit.

I have had many, many design workshops around this topic.  So far, the results are always the same.  Single Domain, Single Forest (unless you don’t pass the above test).

So, now that we are on the same page, Part II will guide you into how to go about achieving the ideal Active Directory Logical Architecture (Single Domain, Single Forest Consolidation).

References:

Designing the Branch Office http://www.microsoft.com/branchoffice

Designing the Logical Structure for AD DS (Active Directory Domain Services) http://go.microsoft.com/fwlink/?LinkId=89024

Hope this helps,

Rob
http://robsilver.org
0
Comment
Author:RobSilver
1 Comment
LVL 2

Expert Comment

by:zsaurabh
unable to find part2
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month