Solved

Rebuilding Active Directory Domains

Posted on 2016-10-27
5
44 Views
Last Modified: 2016-10-31
We have been asked to rebuild our active directory domain and we need guidance.  We are being asked to build out a multi-tree domain structure now.  We just bought 3  companies and each company needs to be a tree in a forest. We want an AD root level domain and we want each of our companies (including ours) to be one of the trees. We DO  have an Exchange organization in our domain  currently, but the other companies use Gmail.. When we are finished, they will reside on our Exchange organization.  We really don't have a good idea of what we need to do, so I'm hoping that someone can provide some insight on how to do this and what steps should be done in what order. We have enough hardware to employ AD sites & Services and have a controller at each site. These sites are all connected via MPLS connections, so connectivity is reliable and fast. I also should mention that 2 of the domains we currently have use a .local for top level domain, so we will likely want to build out a completely new AD structure, as we do not want these .locals in our environment.
0
Comment
Question by:Eric Hummel
  • 3
5 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41863036
Why do you think you need multiple domains?  When Microsoft first released AD in Windows 2000 it was STRONGLY recommended to FLATTEN the network - as few domains as possible.  In general, you want ONE domain, properly structured with OUs that can be DELEGATED to local IT operations staff.
1
 

Author Comment

by:Eric Hummel
ID: 41863088
It was felt like with a Single Forest Multi-domain model, it would be much easier to snap in future companies that we purchase.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41863357
How is that easier?  You have to build a domain for a future company and then build a second DC (increasing licensing costs) for redundancy.

Plan your OU structure appropriately and then all you have to do is create accounts and migrate users to your domain.  And as necessary delegate management authority over that OU.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41863358
When you acquire companies, you may be able to temporarily setup a trust (unless the acquired company has an SBS/Essentials/Foundation based network which doesn't permit trusts anyway.
0
 
LVL 11

Accepted Solution

by:
zalazar earned 500 total points
ID: 41864561
With multiple domains you create an administrative boundary so in terms of who is able for what is somewhat easier.
If you would have different IT departments then a multiple forest model (with a forest trust) is probably better as in this case every IT department is responsible for managing/upgrading their own forest. This of course depends on the AD administration model you would use.

But with multiple domains/forests you have more AD administrative/maintenance work.
More domains/forests also requires more domain controllers so more servers which should also be managed/patched etc.
And with more domains/forests it can be more difficult to enforce security policies, settings and best practices.
With more domains the disaster recovery procedure is more difficult.

A single domain model is easier if you have more locations. Otherwise this would (for performance reasons) require domain controllers of every domain in every location.
If you have users from different companies that need access to shared applications/data then you need domain local groups as these can hold users/groups from different domains/forests. These domain local groups occupies 40 bytes in the Kerberos ticket compared to 8 bytes for a global security group.
Setting up software distribution with more domains/forest will probably also be more difficult.

With AD you have enough possibilities to create delegation via OU's and assign permissions to create e.g. user/group/computer objects within their own OU. Also for Group Policies you can setup delegation.
Instead of using the default delegation wizard I normally set these permissions manually as in this case you can set it more strict.
If you would work with more IT departments then it should probably be necessary to create an operational guide which describes how to do the administration, name conventions etc.

I have seen quite a lot of companies migrating their multiple domain environment back to one because of the administrative overhead and security reasons.
1

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now