Solved

Active Directory Domain Name

Posted on 2014-11-18
12
471 Views
Last Modified: 2014-12-04
We are re-designing a customer's AD and based upon the following I was hoping to get some feedback/thoughts.
Microsoft Best Practices for TLD is not to use .local, but use a sub-domain of the public external domain name. So if the domain name is somedomain.com, the root forest tld would be ad.somedomain.com
Company Structure is that there is an umbrella Management Group ("CompanyGroup") which owns/operates multiple companies ("CompanyA","CompanyB"). Currently all networks are individually configured using companyA.com and companyB.com as their own internal TLD.
CompanyGroup does not own any public domain names, nor do they use email or any other service attached to their CompanyGroup name - they operate under each CompanyA, CompanyB
Office 365 integrated with DirSync on the horizon as well - I read that it is worth having this correct and matching domain names of email as well

My thought was to configure a TLD such as ad.companygroup.com once I was able to purchase a new domain name for CompanyGroup but do I need it? I mean, if CompanyGroup is not being used anywhere should I use ad.CompanyA.com as the Forest Root and then add ad.companyB.com as a new tree?
Ideally we will try and migrate as much as possible from existing AD but happy to start over if it means a well designed AD.
0
Comment
Question by:Flipp
  • 6
  • 6
12 Comments
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 500 total points
Comment Utility
The company structure would seem to dictate the design.  You could consider the CompanyGroup the blank AD root (forest root) and the subsidiary companies domains in the forest.

I tend to want to keep things simple (relatively), my thinking goes along the line:

1. root domain = companygroup.org (since its never used, safe)
2. child domains = company?.com

forest root - companygroup.org (blank root, min 2 DCs or 1 DC in each root datacenter for redundancy)
child --- companyA.com
child --- companyB.com
child --- companyC.com

I've used/managed this type of structure in 3 different enterprises, all larger that 1000 users.

Dan
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
When you say a 'child', do you mean a tree or sub/child domain?

Would you suggest to use Microsoft's recommendation in using ad.companygroup.org instead of companygroup.org?

Did you mean to write "org", and therefore purchasing that domain and using it for AD?

I think you are describing what I read at http://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx in a Dedicated Root Domain. Is that correct?

Because a User in CompanyA also works in CompanyB, would it still be best to have them configured as user@companyA rather than creating users under root domain as user@companygroup? We want to avoid creating multiple instances of same User across AD, so through trusts can we assign user@companyA access to CompanyB resources (folder/printers)?
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 500 total points
Comment Utility
When I say child, I mean a domain in the forest which is not the root domain.  It could be a subdomain, but doesn't have to.

IMO, I would just use companygroup.org (or .net) since it will not be actively used on the Internet.  For example, say a company owned companygroup.com, .net and .org.  Since companygroup.com would probably be used for Internet available services (email, website), I would use either the .net or .org for AD.

My opinion is to buy all 3 domains (com, net & org) for the companygroup just to protect the firm's online identity.  Even if they're not used.

Yes, when I say blank root, I mean a dedicated root domain.

If you decide to use a blank root (dedicated root domain) nothing other that a few admin or service accounts and a few DCs should reside there.  No general-use user accounts in the dedicated root domain!

Since you will have multiple child domains in a single forest, there is automatically a transitive trust in place.
Reference link:  http://technet.microsoft.com/en-us/library/cc754612.aspx

Because of the 2-way transitive trusts that are automatically created between domains in a single forest, you can do the following:

- users in companyA have their accounts created in companyA.com AD domain
- users in companyB have their accounts created in companyB.com AD domain (etc...)
- userA@companyA can be a member of groupB in companyB, granting userA access to companyB resources.
- users need only 1 AD account in any of the child domains

Dan
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
Brilliant ... I think I dreamt about domains and trusts last night :)

For naming of AD Domain I will use ad.companygroup.org in root dedicated domain, but would I also use ad.company1.com and ad.company2.com for all companies domain that are added?
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
For the root domain, I think the "ad" suffix is somewhat irrelevant because the domain has no Internet presence and would be put in place specifically to house the forest root.  Either way, its fine.  My preference would be to use "companygroup.org" as the forest root.

As for the child domains, like you, I would use the domains with the "ad" suffix... meaning "ad.company1.com", etc.

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Did this info help out your planning?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Author Comment

by:Flipp
Comment Utility
Absolutely!

I am currently trying to plan or schedule a domain rename or tear down and start over then look to create the correct structure with the root domain and trees to the forrest.
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
Do you have any thoughts on either:
1. Use Domain Rename tool to rename domain of SBS 2003 Server
OR
2. Tear down AD and create new domain using new name

Reason I ask is that we are preparing for an Exchange 2003 move to cloud which will sync AD User Accounts, so trying to plan which steps we do first? Do we rename AD Domain, then link to new AD Root then migrate Exchange?
OR
Do we migrate Exchange, tear down AD and manual rebuild into new naming and AD Root.
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 500 total points
Comment Utility
I depends on the urgency of the Exchange migration.  I would first deploy a new AD infrastructure, migrate your users to the new domain and then move Exchange.  The logic goes:

- your exist systems are functioning
- your users have their normal services as expected
- you can build the new AD infrastructure in parallel with existing systems/services without interrupting those services
- you will not have to waste time tweaking your old AD to work properly with the cloud sync process
- you can migrate your user base and focus on addressing any outstanding issues with AD
- when you move your messaging to the cloud, you will be doing so with the new AD structure, fewer potential issues
- this would allow you to focus on troubleshooting one major migration at a time
- you will not have to do double work on AD

As for the renaming tool.  I am not a fan.  It may work perfectly fine, but opinion is that this is a significant migration, it will service the company better in the long run to spend IT time upfront to properly plan and deploy, than to quickly deploy and spend time planning how to address legacy structure issues.  Which tend to be harder to fix.  In the long run, you will probably have to do a massive AD switch anyway.  Do it now, and do it cleanly.

Dan
0
 
LVL 6

Author Comment

by:Flipp
Comment Utility
Reading more into the rename tool it is not even supported on SBS so it looks like a migration to new domain is called for ;)

re. Root Domain (companygroup.org) and then each domain (ad.company1.com, ad.company2.com) is it a requirement to have a DC per domain? (i.e. in above example, 3 DCs)?
Reason I ask is that CompanyGroup (who also runs Company1) have recently invested in a single piece of hardware due to run Hyper-V, so is it possible (not ideal I know) to run DC for forest root on 1 VM and another DC for ad.company1.com on 2nd VM on same host?

Any info or links you can send me on orchestrating a parallel build of AD or migration would be great. As you have probably guessed this will be my first AD migration - normally we have done a manual tear down and rebuild for single site customers.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
Comment Utility
Minimum requirement for a domain is 1 DC per domain.  A DC can only support one domain, it cannot run more than one.  I recommend at least 2 DCs per domain to help create a redundant infrastructure.  So, with a blank root and 2 child domains, I would deploy 6 DCs or more depending on the geographical structure of the company.

As for Hyper-V... yes you can virtualize your DCs.  But 1 physical server running Hyper-V is not safe.  You have 1 major single-point-of-failure, the physical server.  If that goes down or has a major issue, say with storage, your entire AD infrastructure is offline.  For a production environment, I would recommend a clustered Hyper-V configuration, 2 server minimum.

Link:  http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

Then there is also the question of how the hardware for the Hyper-V server is configured.  If it is a standard, run of the mill server or higher end workstation, its not good enough.  You need a decent enterprise class setup.  Multiple CPUs, plenty of RAM and multiple HDDs attached to 1 or more RAID controllers, multiple NICs with multiple ports, dual power supplies.  I'd also have at least 2 network switches in place to avoid a network failure.

I would also recommend at least 1 physical DC, in the root domain, to hedge against virtual server issues and the fact that the Hyper-V server needs to join the root domain as a member server (nota DC) before deploying a 2nd DC in the root or the other child DCs.

A parallel build of AD is straight forward, build, configure & deploy.  Migration is the 2nd phase of the project and needs to be well coordinated in order to minimize the disruption of end-user services and their daily routine.

Link:  http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

The migration would require the analysis of existing systems and services, the effect on those systems if migrated, the effect on the end-users, the required services (email, file, print, web, etc), 3rd party software that may be running on a server and a time schedule for tasks and downtime for the move.

But I would say "how to do a AD migration" is outside the scope of your original question.

Dan
0
 
LVL 6

Author Closing Comment

by:Flipp
Comment Utility
This has been hands down the most valuable question/answer I have been apart of.
Cheers Dan
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now