Our group is considering expanding greatly. So far, we have an HQ in London, and two new offices in the UK. We'll be looking at introducing another 10 new offices in the UK, and then also a smaller one in the US and one in Canada.
For the UK - the HQ will provide internet connectivity via a large pipe from the ISP terminating in a Cisco router. This router will have leased line serial interfaces to the branches. Each branch will have a PIX firewall, Domain Controller/ DNS server. The PIX will act as a DHCP server. The offices abroad will have their own ADSL connection and be conected via PIX VPN. All branches will be in the same domain - no child domains etc will be configured. The AD structure is at the moment flat. We are going to be breaking these up into initial OU's of location, which will then be further divided into departments etc. Group policies can the be set at the highest level, and also applied to each OU for locally relevant policies. Thoughts?
As regards the creation of groups, we were going to create mail enabled security groups for ease of administration, I don't see the advantage of distribution groups. These would exist for the location and then departments and then a seperate group for sub-departments, e.g. 'New York' SG, 'NY Finance' SG and then 'NY Finance Treasury' SG, 'NY Finance Audit' SG etc. Rights will be given on the basis of the these groups rather than individual users. So, for instance, NY Finance would need access to a certain folder. The NY Finance group itself wouldn't contain any users, but the NY Finance Treasury, NY Finance Audit etc groups. Perhaps for a different folder, only NY Finance Audit may need access. Likewise, a common shared drive for NY would contain the NY Finance, NY HR, NY IT etc groups.This way, if someone leaves, we only need to change one group (the sub-dept) rather than security permissions on all the files. What are experts' opinions on the types of group to be created? We were thinking of creating a group such as New York as universal groups, and then Finance as global. Would we need to use domain local for the sub-departments, or could these be global groups as well?
The DNS server will be for local lookups/ caching only, any external lookups will be sent to the ISP via a forwarder. The IP scheme for the offices will be 192.168.x.0/24. Serial links configured with /30's.
Just after some clarity really from others....am I correct in thinking that using local DNS servers is much preferable to using a central DNS server in London, to cut down on DNS traffic across the WAN links? Secondly, do any zone transfers etc need to be configured between the DNS servers, or are they simply 'plug and play'? Anything else that needs to be considered regarding DNS that anyone can think of?
Would be interested in people's thoughts...