Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Rebuilding Active Directory Domains

Posted on 2016-10-27
Medium Priority
Last Modified: 2016-10-31
We have been asked to rebuild our active directory domain and we need guidance.  We are being asked to build out a multi-tree domain structure now.  We just bought 3  companies and each company needs to be a tree in a forest. We want an AD root level domain and we want each of our companies (including ours) to be one of the trees. We DO  have an Exchange organization in our domain  currently, but the other companies use Gmail.. When we are finished, they will reside on our Exchange organization.  We really don't have a good idea of what we need to do, so I'm hoping that someone can provide some insight on how to do this and what steps should be done in what order. We have enough hardware to employ AD sites & Services and have a controller at each site. These sites are all connected via MPLS connections, so connectivity is reliable and fast. I also should mention that 2 of the domains we currently have use a .local for top level domain, so we will likely want to build out a completely new AD structure, as we do not want these .locals in our environment.
Question by:Eric Hummel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863036
Why do you think you need multiple domains?  When Microsoft first released AD in Windows 2000 it was STRONGLY recommended to FLATTEN the network - as few domains as possible.  In general, you want ONE domain, properly structured with OUs that can be DELEGATED to local IT operations staff.

Author Comment

by:Eric Hummel
ID: 41863088
It was felt like with a Single Forest Multi-domain model, it would be much easier to snap in future companies that we purchase.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863357
How is that easier?  You have to build a domain for a future company and then build a second DC (increasing licensing costs) for redundancy.

Plan your OU structure appropriately and then all you have to do is create accounts and migrate users to your domain.  And as necessary delegate management authority over that OU.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863358
When you acquire companies, you may be able to temporarily setup a trust (unless the acquired company has an SBS/Essentials/Foundation based network which doesn't permit trusts anyway.
LVL 12

Accepted Solution

zalazar earned 2000 total points
ID: 41864561
With multiple domains you create an administrative boundary so in terms of who is able for what is somewhat easier.
If you would have different IT departments then a multiple forest model (with a forest trust) is probably better as in this case every IT department is responsible for managing/upgrading their own forest. This of course depends on the AD administration model you would use.

But with multiple domains/forests you have more AD administrative/maintenance work.
More domains/forests also requires more domain controllers so more servers which should also be managed/patched etc.
And with more domains/forests it can be more difficult to enforce security policies, settings and best practices.
With more domains the disaster recovery procedure is more difficult.

A single domain model is easier if you have more locations. Otherwise this would (for performance reasons) require domain controllers of every domain in every location.
If you have users from different companies that need access to shared applications/data then you need domain local groups as these can hold users/groups from different domains/forests. These domain local groups occupies 40 bytes in the Kerberos ticket compared to 8 bytes for a global security group.
Setting up software distribution with more domains/forest will probably also be more difficult.

With AD you have enough possibilities to create delegation via OU's and assign permissions to create e.g. user/group/computer objects within their own OU. Also for Group Policies you can setup delegation.
Instead of using the default delegation wizard I normally set these permissions manually as in this case you can set it more strict.
If you would work with more IT departments then it should probably be necessary to create an operational guide which describes how to do the administration, name conventions etc.

I have seen quite a lot of companies migrating their multiple domain environment back to one because of the administrative overhead and security reasons.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question