Need advice for AD design of small org
I am looking for second opinion on our AD design. I was thinking simpler was better. I currently am looking at doing single forest, single domain.
We recently merged with another firm and now have 8 total sites. 3 main with 100-300 users and 5MB WAN connections. 5 branch locations with 5-50 users and T1 connectivity to main site. Each main site has 2 DCS and each branch at least one.
Currently, we represent about half the users and have a single domain. The other users have a main domain and child domains and Exchange servers for each site. There are no significant security, legal or password differences between our sites and we hope to centrally manage (though we may delegate control to a local admin's OU). I think our bandwidth will be adequate for site to site replication as we do not rapidly change personnel.
Any other thoughts or reasons why I would NOT want to stay single domain with an OU structure based on site.
Thanks for any suggestions you can offer.
Steve
We recently merged with another firm and now have 8 total sites. 3 main with 100-300 users and 5MB WAN connections. 5 branch locations with 5-50 users and T1 connectivity to main site. Each main site has 2 DCS and each branch at least one.
Currently, we represent about half the users and have a single domain. The other users have a main domain and child domains and Exchange servers for each site. There are no significant security, legal or password differences between our sites and we hope to centrally manage (though we may delegate control to a local admin's OU). I think our bandwidth will be adequate for site to site replication as we do not rapidly change personnel.
Any other thoughts or reasons why I would NOT want to stay single domain with an OU structure based on site.
Thanks for any suggestions you can offer.
Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What are the benefits/reasons for the empty parent domain? Can you tell me how and why you chose the design you are using? Does the child domain include all servers and users across all your sites?
Steve
Steve
The root domain contains several groups including the
Schema Admins
and
Enterprise Admins
forest wide groups and a
Domain Administrators
group for the domain. However an administrator who is a member of the
Domain Admins
group in the root domain can change the membership of any groups on the server including the
Schema Admins
and
Enterprise Admins
groups. This would allow an administrator to elevate his or her own permissions.
By employing an empty root domain containing only the groups necessary to run the domain and forest, as well as keeping the administrative user accounts in a sub-domain, administrators are unable to elevate their own permissions. Only Domain Admins in the root domain can do this, of which there will be none. No user accounts are setup in the parent domain.
Even an domain admin in the child domain is restricted in doing a alot of things like.he can't set up trusts.Can't authorize a DHCP server and many more things.Can't create DNS entries if the DNS server is hosted in the parent domain.
Yeah the child domain will have all the users accounts and servers.
By employing an empty root domain containing only the groups necessary to run the domain and forest, as well as keeping the administrative user accounts in a sub-domain, administrators are unable to elevate their own permissions. Only Domain Admins in the root domain can do this, of which there will be none. No user accounts are setup in the parent domain.
Even an domain admin in the child domain is restricted in doing a alot of things like.he can't set up trusts.Can't authorize a DHCP server and many more things.Can't create DNS entries if the DNS server is hosted in the parent domain.
Yeah the child domain will have all the users accounts and servers.
ASKER
Appreciate everyone's imput. I will probably stay with my single domain design but appreciate everyone's input and feedback. Mboppe, thanks for the differing opinion as I think I learned most from your posting.
Steve
Steve
I don't think a refund is appropriate. The asker requested opinions and thoughts and to my mind each respondant provided one (or more).
Comments may also be useful to others - I suggets points split with PAQ.
Comments may also be useful to others - I suggets points split with PAQ.
ASKER
I tried to Accpet Multiple Solutions with awarding 125 points to 4 responders a few days ago. Please award points to the 4 people. Did I interrupt the automated process?
Steve
Steve
You can award the points by clicking on "Accept Multiple solutions" at the bottom of a reply and then select any answers you want and allocate the number of points.
ASKER
Idid that already but will try again.
S
S
You need to scroll down to accept multiple answers
ASKER
Steve