Avatar of wm48312
 asked on

Large corporation single forest with single domain

Hi Experts,

Has anyone ever heard of a large worldwide corporation using a single forest with a single domain?  I know that a domain is no longer considered a security boundry so it seems there would be little difference other than replication between that and a single forest with  multiple domains.  A single domain is attractive as far as administration is concerned.  Can anyone give me the pros and cons?
Microsoft Legacy OSWindows NetworkingActive Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon
Mike Kline

When you say large I'm talking 100k users or more.  I've heard of a lot of places including branches of the military trying to consolidate but most not fully there yet.

If you have fast links and can handle the replication it should be ok....and while the forest is the security boundary.  I still consider the domain the "ooops boundary".  

...full disclosure i stole that from someone at Microsoft.

what is your current model, single forest with multiple domains or multiple forests.



Hello wm48312,

I am actually working on developing an enterprise architecture using a single forest/domain. Due to the lack of systems administrators, I strongly believe that structuring the domain and rolling up sites using subnets and administering them under appropriate OUs is the way to go. Each site will have an RODC with UGMC to alleviate the need to constantly query group membership back the Enterprise. Another big point I stress is the ability to designate a help desk presence using delegation without assigning Domain Admin permissions. Disaster recovery in my opinion for a site is simplified, you do not have to worry about transferring and seizing FSMO / OM roles since the 5 roles belong in one Domain and at the Enterprise. I hope my viewpoint helps you making your decision.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Yes it is 100k+.  Current model is multi forest.  All good points so far and many of them are already considered.  Certainly a multi forest model must be more secure than a single forest.  I guess I should probably mention too that not all forest trust all the other forests.  One of my concerns is that some of the countries these servers will be in are not exactly friendly.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Most data centers are secure and located in friendly countries, other are less secure only because of their physical location but data is mirrored to another location.  It seems to me that an intrusion could gain access to the entire domain where in a multi forest model that would not be possible or at least more difficult.