Solved

Active Directory planning - trying to think ahead - forests, domains, trees

Posted on 2012-04-07
19
362 Views
Last Modified: 2012-04-09
Hello folks,

Need advice and guidance on how to go about planning and setting up Active Directory for a growing business with multiple locations. Here is the scenario:

We are a small but growing company with two main locations.  Our main office already has an existing AD domain (let's call it alpha.local) running Server 2008 R2.  We are also running Exchange 2010 at the main office.  Our second office is new and at some point will become larger than our main office.  We do not have any AD or Exchange currently at the second office, though we have hardware and software ready to set-up Server 2008 R2.

My main question is how should I plan for the AD domain/services and possibly Exchange in the second office, there will not be a VPN between the offices (due to costs and geography), plus the fact that at some point these two AD domains will need to be merged and a VPN put in place (if costs allow).

Information that is relevant:

Main office (AD domain 'alpha.local') uses Exchange and main email domain is '@alpha.com'
Second office (no AD domain), uses hosted IMAP emails with sub-domain of '@us.alpha.com'

Our aim is to allow management of Users/Computers/Resources at each office separately but with a view in the future to allow management of AD for the two offices from each site.

We also plan to move all employees using '@us.alpha.com' onto Exchange at some point either at the head office or possibly with an Exchange server in the second office.

Please ask any questions and I will provide information that will helpfully clarify.

Thank you,

tww
0
Comment
Question by:thewhirlwind
  • 6
  • 5
  • 4
  • +3
19 Comments
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Bare in mind that you can NOT merge Active Directory domains once created. If they are seperate to start with then thats how they stay unless you MIGRATE all the user accounts accross to one or the other domain.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
As you do not have any link between the office their is no way to have existing Domain extended to the second office.

As you already got the Hardware for setup of the New Domain you can setup a new Forest/Domain for the second office and get the machines in.
If in future you may have to move the exchange to new domain you will setup the exchange server over their and just require to get your MX records changed so that the mails get to the new exchange server.

incase in future you have the link in between the offices you can make the Forest trust between existing domain and new Domain. you may also migrate the machines from one domain to other after the trust is there.
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
Single forest, and single domain should be fine.

Be sure to set up the AD sites.

All of your management and separation of duties can be done at the OU level.

Having multiple forests and domains will just make your setup unnecessarily complex, unless you are talking about tens of thousands of users.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
@awaggoner- how will he do single forest single domain when their is no link between the offices?
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
As long as each site has an Internet connection, there should not be a problem.

Just set up a site-to-site IPSec tunnel between each location.  Any decent firewall should have this feature built in.

This can be set up in less than 30 minutes
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
that's what he said in the begining that they do not want to have it right away.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Awaggoner beat me to it, but I will still say my piece.

If you have internet access at your remote office you can standup RRAS (Routing & Remote Access Service) on your Domain using Windows 2008 Roles that are part of the OS without any further cost.

Routing and Remote Access Service

Then setup SMTP site link between the two sites using Sites and Services

How to set up SMTP replication on Windows Server 2008-based domain controllers

This will allow for DC to have a disconnect without having any conflicts with replication.
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
Setting up the site-to-site now would save a lot of time, effort, and money later.

If they are worried about security, they could configure the link to only allow AD replication traffic.

Setting everything up stand alone then trying to merge things later makes this a much more complex than it should be.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
That's true that is the best way to have single forest/Domain and will save lot of time in the future. this way even it will be much less effort to manage single domain and require less effort for troubleshooting.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
The other options, but more difficult is standing up two separate Domains & Forest's and later setting up a Forest/Domain trust.
I do not like this idea since you already have a road map for the two sites being part of the same Domain or Forest.

-Mike-
0
 

Expert Comment

by:PeterCourt
Comment Utility
I agree totally with the previous comments. Why on earth would they not "want a VPN" connection .. but do want integration between their sites ?

VPN's dont cost any more than a Internet Link. It sounds very much like someone is thinkingthey need  a private VPN via a telco where traffic is not via the internet, but costs are 5-10-20 times larger than a plain internet link.  There is no need to go to that extent. As far as I know there are no known security exploits of ipSec VPNs.  In fact even the much maligned PPTP in current forms has no known exploits.

With modern ipSec VPNs via Firewall to Firewall or using RRAS IMHO you would be mad not to setup a VPN between the sites.

I support a 100 user company with 7 sites using ADSL internet links in most (and 4Mbit/s sync wireless at HO) all as a single Domain. Each site as an OU allows any customisation you want.


rgds .. Pete
0
 
LVL 1

Author Comment

by:thewhirlwind
Comment Utility
Thank you all so far for the answers and guidance.

To clarify the VPN question, this is made up of a mix of cost, location and politics:

- We would like to establish the AD/Exchange at the second office and keep the the two offices separate until there is actually a business requirement to link the two sites.

- The IT Manager at the main office is not experienced in managing multiple sites and AD/Exchange generally, so he is quite resistant to the VPN.  He also does not want anything to change on the existing AD domain and main office. He needs more training and a kick in the butt to go and learn some new stuff... (in reality I am asking these questions so I can then tell him here is the answer you have been looking for and that there is a lot of help available out there).

- On the cost/location aspect, we have remote operations that do not have access to ADSL or Internet connectivity at a reasonable cost (comms takes place over VSAT, for example currently we pay $11,000 per month for 10Mbps) and has to carry all data/voip traffic for a facility catering for 400 to 500 people. I want to consider these locations as we may need to depoly AD/Exch also at some point to them.

- My other objective is to determine if we establish a local AD domain and Exchange at our second office with a view that at some point in the future when the management of the firm feel that we need to connect the two offices, we do not need to go back to the drawing board.
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 250 total points
Comment Utility
Ok.. then we are back with the solution what i mention earlier.  that is the best option left...


"As you do not have any link between the office their is no way to have existing Domain extended to the second office.

As you already got the Hardware for setup of the New Domain you can setup a new Forest/Domain for the second office and get the machines in.
If in future you may have to move the exchange to new domain you will setup the exchange server over their and just require to get your MX records changed so that the mails get to the new exchange server.

incase in future you have the link in between the offices you can make the Forest trust between existing domain and new Domain. you can migrate the machines from one domain to other after the trust is there."
0
 
LVL 1

Author Comment

by:thewhirlwind
Comment Utility
so we go down the new domain in a new forest path....

how about naming of the new forest root domain?

can we name it the same as the forest root domain of our main office, 'alpha.local' ? Or does need to be different, for example 'beta.local' ?
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 250 total points
Comment Utility
You do not want the same forest/domain name for both.

If you do, then you will have to rename it when you do the trust relationship or migration.

I still believe you are putting an extra burden in cost, complexity, and time by not setting things up efficiently to begin with.  However, sometimes politics and inertia do conspire to make a hash of things.

Be sure to pass along to more efficient model as well as the trust relationship model and document everything.  That way, when the time comes to connect everything together, you won't get caught in the crossfire about the extra costs/complexities.  And who knows, if everything is spelled out to them and documented, the powers that be may not want to be the ones to assume the responsibility for the extra costs.
0
 
LVL 1

Author Comment

by:thewhirlwind
Comment Utility
how about setting up the second office as a new forest/domain but using a child domain?

for example: 'newoffice.alpha.local' (the main office being 'alpha.local')

will this have any impact or make the migration and future any easier to handle?
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
You would need the VPN with a child domain, and you said that is not possible.

If a VPN is possible, he best solution would be to use organizational units as management and security zones.  The second best would be two parallel domains.  A child domain would be the third choice.
0
 
LVL 1

Author Closing Comment

by:thewhirlwind
Comment Utility
Thank you for the suggested solutions and aspects to take into consideration.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
You require to have new forest and new domain. their is no way you can create a child domain. to create a child domain you require the parent domain to exist first...
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now