windows 2003 forest design

We are redesigning windows infrastructure.  Our new design will include a single 2003 forest with 25 child domains.  FROM 25 forest to one forest and 25 child domains.  The problem i have is our network infrastructure, currently has a firewall on every vlan, which they say is best practice?  The designs from MS and talking to MS directly says NO firewall between domains in a single forest and NO nat'ed address.  WELL network group say MS is crazy.  The security group doesnt want IPSEC because they can't sniff it.    AND the NETWORK group doesnt want to open all the port neccessary across the firewall "which are all internal by the way, we are not asking them to open across firewalls outside the company."  

AND NOW FOR THE QUESTION: Does anyone have a single forest multiple child domain design, that i can talk to and see how you handled the network?  THIS leads into another project which is single sign on for the company.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi jwhitlock31,

i work in a single forest multiple domain environment of 8 domains at the moment - here comes the fun, in the process of upgrading to over 500 domains in a single forest. One firewall at the root currently and not looking at changing that

what exactly do you need to know?

jwhitlock31Author Commented:
i guess my question is what did you network group say about the design?  OURS believe that everything need to go through a firewall.. and having all those firewalls between the DC's have been a real pain... AND the network groups say they are doing best practice.  BUT it is completely against the single forest design....and really hard to implement  I guess i would like to know that other companies design their forest with out firewall internally between their child domains and root domains?

we have all our domains inside a private ip network which provides us with an extra bit of security but we still have one giant NOKIA firewall running at a central location

having a firewall at each site is going to be secure but it is also going to require a whole load of configuration, it think it is important however to have some form of security exepcially if you are not sitting within a private network originally      configuring a firewall at each site probably isnt a bad idea and ms best practices arent always the most logical practices  there are often scenarios that dont get taken into considertion by MS

im very keen to see what other experts have to say on this topic also
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

jwhitlock31Author Commented:
ALL the DC's are at the same site, inside the forest....
all the DC' are at the same site??!!!???

you are going to have 25 Domains authenticating over a WAN link to your DC's??   what happens if a WAN link goes down.......

good rule of thumb

minimum of 1 DC per site
minumum of 1 GC persite and max of 2
Minimum of 1 DNS server per site max of 2

jwhitlock31Author Commented:
Not over a wan, over a lan link ... that is why i think that all the firewalls are unneccessary...
jwhitlock31Author Commented:
we have 4 DC per domain all running dns, and two GC's

wow all that over a LAN link, then no, i dont see the neccessity of a firewall per domain

what kinfod structure do you have that you going to have so many domains on a LAN   what kind of business?? just out of curiosity

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.