Correct way to design a windows domain structure??? help please

Posted on 2007-07-20
Last Modified: 2012-08-13
Hi guys,
im in the middle of designing a new windows domain for our company.
I have a few questions on how this would be done correctly...

If the domains will be over diffrent sites and deptartments should these be set up as subdomains too?


                                                                /      \
                                                              /          \
                                                            /              \  
                                                          /                  \
                         site1.companyABC.local           site2.companyABC.local
                            /                        |                                              |
                          /                          |                                              |
 dep1.site1.companyABC.local    |                                 dep1.site1.companyABC.local

Or do you know the correct way to set it all up?

Thanks! - in advanced for any help :)
Question by:chouckham
    LVL 31

    Accepted Solution


    I believe less is more in this case. How many people do you have working in IT department? How many servers are you prepare to buy? You current design would need at least 12 DC - two for each domain anD this gets complicated if you have more phyiscal locations.
    How many physical locations are we talking about? How many users on these locations?

    Usual approch is to start with single domain forest. Your departments can ban each have its own OU. AD Sites are independent of logical design of domain, but they do define the number of DCs in enterprise, because usually you need one DC for each domain in every site.


    LVL 3

    Author Comment


    >use AD sites rather than subdomains. - i like that. :-)

    In our main site:
    we are an outsourcing call centre business we have about 10 call centres wach with around 30 seats.
    each needing high security from each other.
    the design is to put them on seperate vlans, and have them as seperate subdomains (for added security)

    does this sound ok?
    LVL 31

    Assisted Solution

    by:Toni Uranjek
    Actually not, from security point of view. Domain is not security boundary, forest is. For maximum security you would need to create separate 10 forests without trust relationships between them. IMHO also VLAN is not security feature.
    LVL 70

    Assisted Solution

    In general use a few domains as you can get away with - it makes life much more simple. You really only need multiple domains if you want to keep descrete seperation between your departments and.or there is an overriding need to have different password and account policies for some parts of the oganization.

    In most cases a single domain will suffice, You can use sites in AD to deal with your geographicaly seperated sites and you can use Organization Units for Departments, or indeed your OUs could also represent geographical locations as well or instead of sites.

    This approach will minimize the amount of hardware required in terms of numbers of DCs, while the use of sites and/or OUs allows you full control over policies and administrative delegation
    LVL 3

    Author Comment

    Many thanks for all your usefull comments above!

    - we have a need to sometimes on a monthly basis remove a child domain and rebuild a one fresh and clean for a new client. with full independant policy controll and administration.

    thats why for this scenario i think a child domain would be best option.

    thoughts are very welcome!


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now