Best Practices for designing AD


We have a prospective client who needs to re-design the AD structure. The Client has one HQ with about 5000 users and 10 remote locations each with 200 users.

What you believe would be the best practice for designing this AD structure ?
Who is Participating?
i definitely prefer parent-child domain hierarchy because in case of disaster you will not loose complete tree.
in multiple domain environment there are some major changes required in FSMO roles placement like infrastructure master should not be place on a GC and like forest wide and domain wide roles placement etc.

yes there is some sizing requirements as Microsoft describes i am attaching a very good document about Number of Domain Controllers you can read it and about GC first let me tell you what data a GC replicates actually, A typical GC in a single domain environment contains  (User Principal Name (UPN) used to login, universal group memberships etc ) and these servers are optimal for your environment and for your company's budget also cause i made these calculations based upon my experience and MS Technet. Although you can increase RAM or even number of DC's. For instance in remote branches for backup you can place two DC's but again if you have reliable links then there is no need of it.

==about Proper FSMO role placement in a single domain environment basically follows to a few simple rules,

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

    Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

how many domains you have and
If you have multiple domains then this configuration will definitely change.
==If one then (i am giving this by assuming that you are running Exchange too and you dont have any AD based application running or rather using Terminal Services if so you will have to increase number of DC's)

For HQ
place 3 DC's with atleast 4 GB RAM each and Dual Xeon or Core 2 Quad processors with RAID 1+5 (1 for OS and 5 for AD Database, logs and SYSVOL replicas) in HQ to handle authentication requests and make two of them Global Catalog. move All FSMO roles on one DC in HQ, define subnets in AD sites and services and map all subnets you are using in HQ to single site of HQ.

For Remote Locations
as per Microsoft recommendation you should place a DC whenever no of users are greater or equal to 50 according to this place one DC per site. As for hardware requirement you can safely use 1GB or 2GB with average configuration  It depends on your physical network link that you should make these DC's Global Catalog (GC) or not, for example if you have links to remote sites of 1MB or little less and do not make GC because Global catalog need high speed links for its replication for an alternate you can use UGMC (Universal group membership caching) which doesnt need high speed links because it takes GC replicas from the sites having GC servers like in your case HQ site. and also for remote sites create subnets and map to their created sites if not created create them now.

and if your network is not fully routed create sites links also so that your clients dont go any where else than their own site for authentication and if you are planning DR side also then tell me.
forgot to tell that Design your OU structure in the manner you need to proper administration, delegation and understanding.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Are there administrators in the remote locations? if not, i would place "Read-Only" domaincontrollers to increase the security there. If there were no special applications needed, you can consider, if a core server is adequate
Yes RODC would be a good choice if no or only low level administration is required at remote locations
iisme2009Author Commented:
Hi Eridzone,

Thank you for your comment.

- For multiple domains, the client doesn't have a specific requirement for having multiple domains, we should provide this in the design if it's required. So, if we need to have multiple domains, what would be your recommendations?

- Is there any specific sizing requirement that decides the number of DCs required for users authentication (for instance why you recommended 3 DCs / 2 as GCs)?

- Is it recommended to place all the FSMO roles on one DC or to distribute them ?
-  No DR site is required
How many other servers are they going to need besides DC?

I would seriously look into VM.  1 Physical DC and then VM DCs at the HQ on a second physical box, then using VM as much as possible at the branches.  If licensed correctly, VM gives your company more flexibility in design.  If you need another DC at any location, you could just deploy an extra.
Mike ThomasConsultantCommented:
For a realy basic domain design and DC placement for a company that big and with that many fair sized sites I would build a root domain in the head office (2xdc's) the root would hold no objects other than the defaults)

I would then build a child domain with 2xdc's per site and no RDOC's

200 users is a lot, that's a lot of people to authenticate over ther wire........or not at all if you loose your only dc, IMO you need a second DC per site. Also again 200 being a fair number I would imagine a fair ammount of object changes, password resets, new account creations, permission changes, group membershp changes, new pc's etc I would want to be able to do this on a DC for that site and not have to wait for replication so no RDOC's IMO.

But tbh this is too big a project to be asking about here, depending on the type of work the company does (Compliance issues etc) there will be other issues to consider in your deisgin other than physical placement of DC's

AD design goes into way more detail than where you locate DC's and what hardware they sit on you need to consider coexistence during the migration period, OU structure, how you delegate, who manages what, do Admin accounts need to be tightly secured, how group policy will be applied, how mobile users are managed etc etc etc

Not to mention all the other servers services that might rely on AD or might be affected by any change.

IMO the best advice I can give is to get somone on board who is comfortable taking this on.
iisme2009Author Commented:
Thank you MojoTech for your comments. Asking about an advise or another techy opinion doesn't necessarily mean we have to get somone on board to take things over. As you can also see, techies might have different opinions / designs for the same project.

We are planning the complete Infrastructure including Exchange and other application servers that are AD independent.
And ideally in a single domain environment all roles should be on one machine.
Have a look at the IPD for Active Directory Domain Services

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.