We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Windows Server 2003 Network Design Help ...

ITGroupPHX
ITGroupPHX asked
on
Medium Priority
318 Views
Last Modified: 2010-04-19
Hi Guys .... We have the luxury of building a new Windows Server 2003 network from scratch with no legacy issues to get in our way. Of course we want to do this correctly right from the get-go so I'm looking for a little (or a lot) of suggestions on how we should roll this out.

We are going to implement a network model where an independent organization will provide centralized IT services to a number of related but seperate companies. Although we'd like to have complete administration control of the "enterprise" we can't have any of the companies able to access or even see the existence of the other companies involved. All of the related companies currently have their own internet domain names and POP3 mail servers. We'd also like to eventually migrate them to Exchange but with their own identity so that there is no hint of their participation in the multi-company IT structure.

All companies have to be setup with the minimum of dependencies since they may be spun off or sold at any point in time.

How's that for a start? I'm sure the nuts & bolts available can do the job but if anyone else has been down this road I would certainly appreciate your input. Nobody likes to reinvent the wheel.

Thanks in advance for your help on this. Regards - Jamie G.

Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
Oops, forgot about that - I readily defer to JamesDS experience and knowledge. Nice CV by-the-by!
I don't get much time to build sites any more - just fix the problems caused by others ;-)

Commented:
What90

Thanks for that, but I can't help noticing you're at 3rd in the league and I am but a lowly 6th :)

Cheers

JamesDS

Commented:
JamesDS -

I've notice you flying up the table and you've only just joined!
 
The reason I'm 3rd is 'cos it's slow around here (work, that is) at the moment and the nice questioners think some of my replies are actually useful ;-)

Actually, most of the q's are very interesting to follow through on as everything here is remarkably stable, (not that I'm complaining!) and I have a mountain of documentation to update as no-else bothered :-(

It's nice to keep the mind working and be corrected by experts like yourself.

Commented:
aha documentation, the bane of our lives.

I see 1 to 3 clients a year and a fully designed and documented AD and associated technologies typically requires around 500 pages of docs - much of which I can't cut and paste from the previous client!

You have my sympathies but you do get used to it after a while and it helps one to remember those little obscure problems that turn up here all the time.

Nobodys perfect (epsecially me) and I find that often the correct answer depends on how the question is read - it's easy to misinterpret the problem and run of at a tangent :)

Cheers

JamesDS

Author

Commented:
Excellent ideas/points. I had considered a Forest Root design similar to what WHAT90 had suggested but after reading the comments from JAMESDS I'm starting to change my mind. I especially like the touch about implementing parent & child domains to deal with potential expansion of the individual companies.

JAMESDS, if I follow your logic, are you suggesting that I set up an autonomus domain for the enterprise management group and then create trusts to allow for administration of each company forest? If so, what kind of complications am I going to run into if I try to share file and print services between the other domains? This is a less than likely scenerio at the moment but I could see this happening as a couple entities may merge in the future.

Also, any thoughts on domain naming conventions these days? There seems to be a new trend emerging where companies want to change their name for marketing reasons so I'd like to stay away from directly tagging their name to the domain. A domain rename is something I'd like to avoid.

Thanks again guys!
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks again JAMESDS. I've got a pretty good idea on where I need to go with this. It's time to wind this question down. Since you "have no life" I thought I'd bounce a couple of final things off of you. This enterprise management group will be responsible for VPN deployment and maintain the hub at their site, Altiris Cllient Management and Veritas Backup centralized backup management. Any thoughts on how that might be impacted by the proposed model?  

Commented:
ITGroupPHX

wow, maybe you should just hire me, i'm free at the end of the month and this looks like a good challenge ;)

Hmm, without building a pretty sizeable test environment I can't say for sure as there are dozens of variables to take into account. Provided your delegation of admin model is well designed and documented there should be no authentication issues with Altiris Cllient Management and Veritas Backup. You might have to sacrifice some of the "total lack of inter-company awareness" tho if your going to pull it off - after all even the most basic user will be able to tell that it's not his IT department in overall control!

I will advise you strongly to build a dual hub system and use the replication topology to create a fully redundant top level - maybe even host the FSMO roles for the sub-companies in these hubs as well, depending on budget and business continuity requirements.

Your DNS design is going to be pretty large so learn it well or outsource the design to Microsoft Consultancy (OK it's about £1500 a day!) if you're not 100% confident of pulling it off.

This is a lot of hardware and some big money so I close by reminding you of Gartner's report into AD in 2003 where they said "design and implementation problems caused by lack of specific design experience will force 60% of all Active Directory deployments to be redesigned and redeployed within 18 months of initial deployment, at significant and unplanned cost." So, caveat emptor, the little stuff is easy, the big stuff is a bitch and we haven't even covered how many sites you're planning on deploying to.

Best of luck

Cheers

JamesDS
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
ITGroupPHX

At the risk of starting a "mutual appreciation society" What90 is right on the button ;)

A VERY large proportion of my work comes from re-design and re-implementation of AD projects that have gone south. Usually these repair projects take almost as long as the original project did - so the costs can often double the original budget and timescales.

Agree 100% with everything else he (most of us are blokes!) says

Cheers

JamesDS

Author

Commented:
What90 & JamesDS ... I agree with you guys 100%. The last thing that I need to do is rebuild AD in 18 months. Just as an aside, we are actively discussing the option of spinning off or outsourcing much of our IT group at some point in the future. Our concern right now is to have the model clear in our heads so that we confidently challenge any group that might be brought into the project. Are you two close to Arizona? :-)

I'm going to close this question now. Many thanks. I'm going to split the points up here and give What90 50 and JamesDS. I think we all agree that James DS needs the points anyways. :-). Cheers - ITGroupPHX

Commented:
ITGroupPHX

Thanks for the points - apparently I need them :)

I live in the UK, but I do travel and have worked in Ohio and Florida in the last 2 years.

Cheers all

JamesDS
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.