Need advice for AD design of small org

I am looking for second opinion on our AD design.  I was thinking simpler was better.  I currently am looking at doing single forest, single domain.

We recently merged with another firm and now have 8 total sites.  3 main with 100-300 users and 5MB WAN connections.  5 branch locations with 5-50 users and T1 connectivity to main site.  Each main site has 2 DCS and each branch at least one.  

Currently, we represent about half the users and have a single domain.  The other users have a main domain and child domains and Exchange servers for each site.  There are no significant security, legal or password differences between our sites and we hope to centrally manage (though we may delegate control to a local admin's OU).  I think our bandwidth will be adequate for site to site replication as we do not rapidly change personnel.

Any other thoughts or reasons why I would NOT want to stay single domain with an OU structure based on site.

Thanks for any suggestions you can offer.  

Steve
LVL 8
smeekAsked:
Who is Participating?
 
ryansotoConnect With a Mentor Commented:
If you're one organization I am always a big fan of one domain.  Its easier to manage with multiple OU's just for each site.  My suggestion is like yours - consolidate.  I mean what happen sif you acquire 1 or 5 or 10 more firms?  Thats going to be a nightmare to manage vs a nice single domain setup.
0
 
smeekAuthor Commented:
Is your site several hundred users or similar in nature?

Steve
0
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
I used to run a Windows network with 1000 users and two major sites.  There's no point in using more than one domain unless you enjoy higher management costs.  I would get rid of the child domains in the other domain, it's really just complicating things unnecessarily (almost certainly - not working for you/them I can't be certain there isn't some obscure but good reason they did it this way).  You only need one domain and do what you're doing - delegate administrative authorities based on OU to those who need it.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
KCTSConnect With a Mentor Commented:
A single forest, single domain with multiple sites would seem to offer the best solution in this scenario. I can see no overwhelming need to have multiple domains. Creating a subnet for each site and then defining the subnets and sites in AD would allow you to ensure that clients on each physical site authenticate with a local DC in preference.
0
 
Malli BoppeConnect With a Mentor Commented:
A would say a single forest with empty parent domain and a child domain with no one as enterprise administrators.A child domain where you have all you file,exchange and application server.This is what we have done with 1000 users in our company.
0
 
smeekAuthor Commented:
What are the benefits/reasons for the empty parent domain?  Can you tell me how and why you chose the design you are using?  Does the child domain include all servers and users across all your sites?

Steve
0
 
Malli BoppeCommented:
The root domain contains several groups including the Schema Admins and Enterprise Admins forest wide groups and a Domain Administrators group for the domain. However an administrator who is a member of the Domain Admins group in the root domain can change the membership of any groups on the server including the Schema Admins and Enterprise Admins groups. This would allow an administrator to elevate his or her own permissions.
      
      By employing an empty root domain containing only the groups necessary to run the domain and forest, as well as keeping the administrative user accounts in a sub-domain, administrators are unable to elevate their own permissions. Only Domain Admins in the root domain can do this, of which there will be none. No user accounts are setup in the parent domain.
Even an domain admin in the child domain is restricted in doing a alot of things like.he can't set up trusts.Can't authorize a DHCP server and many more things.Can't create DNS entries if the DNS server is hosted in the parent domain.

Yeah the child domain will have all the users accounts and servers.
0
 
smeekAuthor Commented:
Appreciate everyone's imput.  I will probably stay with my single domain design but appreciate everyone's input and feedback.  Mboppe, thanks for the differing opinion as I think I learned most from your posting.

Steve
0
 
KCTSCommented:
I don't think a refund is appropriate. The asker requested opinions and thoughts and to my mind each respondant provided one (or more).
Comments may also be useful to others - I suggets points split with PAQ.
0
 
smeekAuthor Commented:
I tried to Accpet Multiple Solutions with awarding 125 points to 4 responders a few days ago.  Please award points to the 4 people.  Did I interrupt the automated process?

Steve
0
 
KCTSCommented:
You can award the points by clicking on "Accept Multiple solutions" at the bottom of a reply and then select any answers you want and allocate the number of points.
0
 
smeekAuthor Commented:
Idid that already but will try again.

S
0
 
Malli BoppeCommented:
You need to scroll down to accept multiple answers
0
All Courses

From novice to tech pro — start learning today.