Correct way to design a windows domain structure??? help please

Hi guys,
im in the middle of designing a new windows domain for our company.
I have a few questions on how this would be done correctly...

If the domains will be over diffrent sites and deptartments should these be set up as subdomains too?


                                                                /      \
                                                              /          \
                                                            /              \  
                                                          /                  \
                         site1.companyABC.local           site2.companyABC.local
                            /                        |                                              |
                          /                          |                                              |
 dep1.site1.companyABC.local    |                                 dep1.site1.companyABC.local

Or do you know the correct way to set it all up?

Thanks! - in advanced for any help :)
Who is Participating?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:

I believe less is more in this case. How many people do you have working in IT department? How many servers are you prepare to buy? You current design would need at least 12 DC - two for each domain anD this gets complicated if you have more phyiscal locations.
How many physical locations are we talking about? How many users on these locations?

Usual approch is to start with single domain forest. Your departments can ban each have its own OU. AD Sites are independent of logical design of domain, but they do define the number of DCs in enterprise, because usually you need one DC for each domain in every site.


chouckhamAuthor Commented:

>use AD sites rather than subdomains. - i like that. :-)

In our main site:
we are an outsourcing call centre business we have about 10 call centres wach with around 30 seats.
each needing high security from each other.
the design is to put them on seperate vlans, and have them as seperate subdomains (for added security)

does this sound ok?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
Actually not, from security point of view. Domain is not security boundary, forest is. For maximum security you would need to create separate 10 forests without trust relationships between them. IMHO also VLAN is not security feature.
Brian PierceConnect With a Mentor PhotographerCommented:
In general use a few domains as you can get away with - it makes life much more simple. You really only need multiple domains if you want to keep descrete seperation between your departments and.or there is an overriding need to have different password and account policies for some parts of the oganization.

In most cases a single domain will suffice, You can use sites in AD to deal with your geographicaly seperated sites and you can use Organization Units for Departments, or indeed your OUs could also represent geographical locations as well or instead of sites.

This approach will minimize the amount of hardware required in terms of numbers of DCs, while the use of sites and/or OUs allows you full control over policies and administrative delegation
chouckhamAuthor Commented:
Many thanks for all your usefull comments above!

- we have a need to sometimes on a monthly basis remove a child domain and rebuild a one fresh and clean for a new client. with full independant policy controll and administration.

thats why for this scenario i think a child domain would be best option.

thoughts are very welcome!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.