Rebuilding Active Directory Domains

Posted on 2016-10-27
Medium Priority
Last Modified: 2016-10-31
We have been asked to rebuild our active directory domain and we need guidance.  We are being asked to build out a multi-tree domain structure now.  We just bought 3  companies and each company needs to be a tree in a forest. We want an AD root level domain and we want each of our companies (including ours) to be one of the trees. We DO  have an Exchange organization in our domain  currently, but the other companies use Gmail.. When we are finished, they will reside on our Exchange organization.  We really don't have a good idea of what we need to do, so I'm hoping that someone can provide some insight on how to do this and what steps should be done in what order. We have enough hardware to employ AD sites & Services and have a controller at each site. These sites are all connected via MPLS connections, so connectivity is reliable and fast. I also should mention that 2 of the domains we currently have use a .local for top level domain, so we will likely want to build out a completely new AD structure, as we do not want these .locals in our environment.
Question by:Eric Hummel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863036
Why do you think you need multiple domains?  When Microsoft first released AD in Windows 2000 it was STRONGLY recommended to FLATTEN the network - as few domains as possible.  In general, you want ONE domain, properly structured with OUs that can be DELEGATED to local IT operations staff.

Author Comment

by:Eric Hummel
ID: 41863088
It was felt like with a Single Forest Multi-domain model, it would be much easier to snap in future companies that we purchase.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863357
How is that easier?  You have to build a domain for a future company and then build a second DC (increasing licensing costs) for redundancy.

Plan your OU structure appropriately and then all you have to do is create accounts and migrate users to your domain.  And as necessary delegate management authority over that OU.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863358
When you acquire companies, you may be able to temporarily setup a trust (unless the acquired company has an SBS/Essentials/Foundation based network which doesn't permit trusts anyway.
LVL 12

Accepted Solution

zalazar earned 2000 total points
ID: 41864561
With multiple domains you create an administrative boundary so in terms of who is able for what is somewhat easier.
If you would have different IT departments then a multiple forest model (with a forest trust) is probably better as in this case every IT department is responsible for managing/upgrading their own forest. This of course depends on the AD administration model you would use.

But with multiple domains/forests you have more AD administrative/maintenance work.
More domains/forests also requires more domain controllers so more servers which should also be managed/patched etc.
And with more domains/forests it can be more difficult to enforce security policies, settings and best practices.
With more domains the disaster recovery procedure is more difficult.

A single domain model is easier if you have more locations. Otherwise this would (for performance reasons) require domain controllers of every domain in every location.
If you have users from different companies that need access to shared applications/data then you need domain local groups as these can hold users/groups from different domains/forests. These domain local groups occupies 40 bytes in the Kerberos ticket compared to 8 bytes for a global security group.
Setting up software distribution with more domains/forest will probably also be more difficult.

With AD you have enough possibilities to create delegation via OU's and assign permissions to create e.g. user/group/computer objects within their own OU. Also for Group Policies you can setup delegation.
Instead of using the default delegation wizard I normally set these permissions manually as in this case you can set it more strict.
If you would work with more IT departments then it should probably be necessary to create an operational guide which describes how to do the administration, name conventions etc.

I have seen quite a lot of companies migrating their multiple domain environment back to one because of the administrative overhead and security reasons.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month9 days, 13 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question