We help IT Professionals succeed at work.

Active Directory Design

Lucret asked
We have a HQ and 3 remote sites connected by slow Frame relay links.  What is the best AD design for this org structure, can we use one domain spanned over the 4 sites?
We currently have an NT 4 bdc in each site and a pdc and bdc at HQ.
Watch Question

The beuty of Win2000 is that yes you can use one domain due to the huge increase in the ACL's allowed. Design though also depends on the functionality of the 4 sites. Are they all doing the same thing? In other words do they all require the same domain security for GPO's. Security is one of the major issues to consider when deciding on one or multiple domain's. It might also be wise to eventually put a pdc in each location to lesson replication/logon traffic over the slow links. There are allot more considerations to go over but these are a couple of the major ones. Plan and have fun!! Let us know if you have more questions I'm sure you will, or if you have more specific.

mikecrIT Architect/Technology Delivery Manager

What is the size of the frame link? Do you want a full Windows 2K active directory domain or would you want to remain in backwards compatibility mode because of your NT domain controllers?

And how many object will be in the AD, users, groups, workstations, servers, policies?  The number of objects directly effects replication performance and bandwidth impact.

You can use one domain, but depending on your business requirements it might make sense to create subdomains (marketing.company.com, europe.company.com).  The short answer is yes, you can create a single domain and define sites and subnets, but the long answer is the design of Active Directory depends on your business and administrative requirements.  If doing the single domain, multiple site configuration, have a Domain Controller that is a Global Catalog server at each site.


Each site needs to be able to carry on logins etc if the frame relay link goes down.  Currently the bdc in each site do dhcp and wins, we may go to a win 2k DC in each site and full native mode eventually.  FR links are 64k for the smallest to 256k for the biggest.  We use citrix to minimise bandwidth used. Each site is a business in its own right.

I think the main things you have to look at are still no. 1) security. Do any of the four sites require vastly different security settings?  2) Administration. Will all for sites be administrated from the main site or will some administrative responsibility be delegated to other admins at some of the sites. Do all the sites trust each other? 3) How many resources will be shared IE directory's, printers, servers etc. Also a big factor can be money. An upgrade(keeping one domain) is cheaper, but a restructure and eventual switch to native mode can be more expensive but has many benefits.
IT Architect/Technology Delivery Manager
If your going to administer the domain yourselves that I would recommend one domain with domain controllers at each site. Each controller should be a catalog server for advertising resources and will allow each client to logon from their site. The slower links are not good but you can overcome this by setting up sites in AD Sites and Services. Each domain controller will also support terminal services which will be to your advantage. Get rid of the BDC's as soon as is effectively possible. By default, replication traffic from a Windows 2K server is only 8K packets which makes it nice and won't hammer your links, however, if you keep the BDC's you will need to make sure that ALL replication occurs during off hours. This will hinder you if you have to set up accounts during the day. Since your using Frame relay, I'm going to assume that your not tunneling over the internet but you have your own private WAN. If this is true, security won't be too bad. You can create policies on your OU's and domain to be able to overcome most local security problems. Using Windows 2K, you will get other advantages like NAT which will help you later on when you need to allow for internet access to these sites. Administration in a Windows 2K environment is a breeze and you will find it alot easier to manage than the old NT domains.
If you have questions about anything else, please let us know.

Every question you have asked is still open, and our records show you logged in quite recently. Please resolve them appropriately as soon as possible. Continued disregard of your open questions will result in the force/acceptance of a comment as an answer; other actions affecting your account may also be taken. I will revisit these questions in approximately seven (7) days.



Community Support Moderator
Experts Exchange


Resolved outstanding questions.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.