Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory

Posted on 2013-06-27
5
Medium Priority
?
185 Views
Last Modified: 2013-07-09
I am looking for best practice setup of our environment.
This is what we presently have now, and it is very confusing:
I am just helping someone who has this situation. three data centers, each data center has four forest with single domain, one for public, one for data, one for emails, and one for something else. Some of them have trust relationships.

location 1:

publictraffic.col.abc.com
datatraffic.col.abc.com
emailtraffic.col.abc.com
somethingelse.col.abc.com

location 2:

publictraffic.den.abc.com
datatraffic.den.abc.com
emailtraffic.den.abc.com
somethingelse.den.abc.com

location 3:

publictraffic.por.abc.com
datatraffic.por.abc.com
emailtraffic.por.abc.com
somethingelse.por.abc.com

As you can see there are 12 domains.

We want to redesign this, and what would be best practice, create one forest say:

root domain:  xyz.com then create child domains

public.xyz.com,  email.xyz.com   data.xyz.com

My concern here is the FSMO's.     Since Schema & Domain naming is per forest, what happens if I loose the DC.

WHat is the best practice for redesigning.
thanks
0
Comment
Question by:techgenious
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39281770
Have you also thought about just going with one domain xyz.com?  You can create zones for public/email/data.

Even if you go with three domains if you lose the FSMO that holds the forest wide roles you would either repair the server or seize the FSMO roles (no different than in a single domain).   The schema master and domain naming master are fairly quiet and don't have a lot to do.

Thanks

Mike
0
 
LVL 7

Assisted Solution

by:Matthew England
Matthew England earned 500 total points
ID: 39282033
Consolidating down to a single forest would simplify things greatly. There's really no need to have seperate forests and domains at each datacenter. Delegation can be used to ensure admins at each datacenter have the proper privledges, and AD Sites can be defined to help control any replication traffic.

As for splitting up the domains, I agree with your approach to create a central root domain, then use child domains for each function, (ie Exchange, Something Else.) While it's actually not neccisary to have seperate forests or domains for different services like Exchange, Users, SharePoint etc., in some larger more complex or high security environments I have seen this setup work well.

From a "best-practices" perspective, Microsoft reccomends keeping it as simple as possible. Before you create any new forests or domains, always outline exactly why those are being created. For example, some GPO's are domain wide settings. Account policies being the major one. While you can use Fine Grained Policies to adjust this, if Account Policies for servers and Admins need to be different than those for typical users and PC's, that may be a good indicator of creating seperate domains. The Administrative management of both groups are quite different.

One of the good reasons things like Exchange are often found issolated, is because Exchange, Lync, Configuration Manager and various other Microsoft Server applications require Schema modifications be made, which are forest wide changes. While it's not required they be issolated, doing so allows the Exchange group to manage their systems, including schema updates, without worry of impacting other core groups.

The following article provides a lot of goood information pertaining to deciding when to break up domains and forests, and what to consider in doing so.
http://technet.microsoft.com/en-us/library/bb727085.aspx#EJAA
0
 

Author Comment

by:techgenious
ID: 39282036
I understand that, but our concern is a single point of failure especially with the FSMO's.
Is there another way to configure this.
0
 
LVL 7

Expert Comment

by:Matthew England
ID: 39282049
http://technet.microsoft.com/en-us/library/cc755450(v=ws.10).aspx

FSMO Roles shouldn't be a factor in determining your design really, other than where to place them. Unforunatly they will always be a single point of failure, but if you're environment is being properly monitored and maintained, the impact of losing any one DC, should be quite minimal. As mentioned, they can be moved and recovered fairly easily when needed.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39284260
There's some info on FSMOs and what would happen if any specific FSMO is down for any length of time, permanently or termporarily.

Active Directory FSMO Roles Explained and What Happens When They Fail and Why you may not be able to keep a DC up once roles were seized.
http://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx
 
Regarding the domain consolidation you have to do lot of work.You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

MIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

ADMT Series
http://blog.thesysadmins.co.uk/category/admt

Note:ADMT doesn’t have an Exchange/mailbox migration option.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question