• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 86
  • Last Modified:

Rebuilding Active Directory Domains

We have been asked to rebuild our active directory domain and we need guidance.  We are being asked to build out a multi-tree domain structure now.  We just bought 3  companies and each company needs to be a tree in a forest. We want an AD root level domain and we want each of our companies (including ours) to be one of the trees. We DO  have an Exchange organization in our domain  currently, but the other companies use Gmail.. When we are finished, they will reside on our Exchange organization.  We really don't have a good idea of what we need to do, so I'm hoping that someone can provide some insight on how to do this and what steps should be done in what order. We have enough hardware to employ AD sites & Services and have a controller at each site. These sites are all connected via MPLS connections, so connectivity is reliable and fast. I also should mention that 2 of the domains we currently have use a .local for top level domain, so we will likely want to build out a completely new AD structure, as we do not want these .locals in our environment.
Eric Hummel
Eric Hummel
  • 3
1 Solution
Lee W, MVPTechnology and Business Process AdvisorCommented:
Why do you think you need multiple domains?  When Microsoft first released AD in Windows 2000 it was STRONGLY recommended to FLATTEN the network - as few domains as possible.  In general, you want ONE domain, properly structured with OUs that can be DELEGATED to local IT operations staff.
Eric HummelAuthor Commented:
It was felt like with a Single Forest Multi-domain model, it would be much easier to snap in future companies that we purchase.
Lee W, MVPTechnology and Business Process AdvisorCommented:
How is that easier?  You have to build a domain for a future company and then build a second DC (increasing licensing costs) for redundancy.

Plan your OU structure appropriately and then all you have to do is create accounts and migrate users to your domain.  And as necessary delegate management authority over that OU.
Lee W, MVPTechnology and Business Process AdvisorCommented:
When you acquire companies, you may be able to temporarily setup a trust (unless the acquired company has an SBS/Essentials/Foundation based network which doesn't permit trusts anyway.
With multiple domains you create an administrative boundary so in terms of who is able for what is somewhat easier.
If you would have different IT departments then a multiple forest model (with a forest trust) is probably better as in this case every IT department is responsible for managing/upgrading their own forest. This of course depends on the AD administration model you would use.

But with multiple domains/forests you have more AD administrative/maintenance work.
More domains/forests also requires more domain controllers so more servers which should also be managed/patched etc.
And with more domains/forests it can be more difficult to enforce security policies, settings and best practices.
With more domains the disaster recovery procedure is more difficult.

A single domain model is easier if you have more locations. Otherwise this would (for performance reasons) require domain controllers of every domain in every location.
If you have users from different companies that need access to shared applications/data then you need domain local groups as these can hold users/groups from different domains/forests. These domain local groups occupies 40 bytes in the Kerberos ticket compared to 8 bytes for a global security group.
Setting up software distribution with more domains/forest will probably also be more difficult.

With AD you have enough possibilities to create delegation via OU's and assign permissions to create e.g. user/group/computer objects within their own OU. Also for Group Policies you can setup delegation.
Instead of using the default delegation wizard I normally set these permissions manually as in this case you can set it more strict.
If you would work with more IT departments then it should probably be necessary to create an operational guide which describes how to do the administration, name conventions etc.

I have seen quite a lot of companies migrating their multiple domain environment back to one because of the administrative overhead and security reasons.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now