Large corporation single forest with single domain

wm48312 used Ask the Experts™
Hi Experts,

Has anyone ever heard of a large worldwide corporation using a single forest with a single domain?  I know that a domain is no longer considered a security boundry so it seems there would be little difference other than replication between that and a single forest with  multiple domains.  A single domain is attractive as far as administration is concerned.  Can anyone give me the pros and cons?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

When you say large I'm talking 100k users or more.  I've heard of a lot of places including branches of the military trying to consolidate but most not fully there yet.

If you have fast links and can handle the replication it should be ok....and while the forest is the security boundary.  I still consider the domain the "ooops boundary".  

...full disclosure i stole that from someone at Microsoft.

what is your current model, single forest with multiple domains or multiple forests.


Hello wm48312,

I am actually working on developing an enterprise architecture using a single forest/domain. Due to the lack of systems administrators, I strongly believe that structuring the domain and rolling up sites using subnets and administering them under appropriate OUs is the way to go. Each site will have an RODC with UGMC to alleviate the need to constantly query group membership back the Enterprise. Another big point I stress is the ability to designate a help desk presence using delegation without assigning Domain Admin permissions. Disaster recovery in my opinion for a site is simplified, you do not have to worry about transferring and seizing FSMO / OM roles since the 5 roles belong in one Domain and at the Enterprise. I hope my viewpoint helps you making your decision.
I routinely set up Enterprise MS 2008 Domains and there is really no reason to make anything but a single domain in a single forest. Ok there are reasons, but unless you just really need another domain, KISS ;)
What I'd be considering is your OU structure (put some thought into that, grouped by in my case Schools-High Schools-Loganville High-then Admins, Staff, Students, Workstations and possibly laptops to apply specific policy to them, whether user specific or computer app deployments, proxy settings, etc.

Then your replication would need to be considered and cost/interval set in Sites and Services. Those would depend on your WAN links so set accordingly.

Use A Naming Convention!!!!! Use something and FOLLOW it. When you use the same name in AD, it makes remote file servers, app servers etc names so much easier to remember (no more IP's) Something like: MyCoDC01, MyCoFS01 (DC=domain controller, FS =file server) TRUST ME!!! This makes long term management so much easier when you have to come off the hip in  a crunch with a guess of a computer hostname and it works!
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Yes it is 100k+.  Current model is multi forest.  All good points so far and many of them are already considered.  Certainly a multi forest model must be more secure than a single forest.  I guess I should probably mention too that not all forest trust all the other forests.  One of my concerns is that some of the countries these servers will be in are not exactly friendly.
Top Expert 2013
ok now that throws another wrinkle into the mix.  RODCs can come into play in that scenario.  Are your data centers secure?  

I know govt agencies that have DCs in some 'not friendly" countries but they are secure.


Most data centers are secure and located in friendly countries, other are less secure only because of their physical location but data is mirrored to another location.  It seems to me that an intrusion could gain access to the entire domain where in a multi forest model that would not be possible or at least more difficult.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial