Rebuilding Active Directory Domains

Posted on 2016-10-27
Last Modified: 2016-10-31
We have been asked to rebuild our active directory domain and we need guidance.  We are being asked to build out a multi-tree domain structure now.  We just bought 3  companies and each company needs to be a tree in a forest. We want an AD root level domain and we want each of our companies (including ours) to be one of the trees. We DO  have an Exchange organization in our domain  currently, but the other companies use Gmail.. When we are finished, they will reside on our Exchange organization.  We really don't have a good idea of what we need to do, so I'm hoping that someone can provide some insight on how to do this and what steps should be done in what order. We have enough hardware to employ AD sites & Services and have a controller at each site. These sites are all connected via MPLS connections, so connectivity is reliable and fast. I also should mention that 2 of the domains we currently have use a .local for top level domain, so we will likely want to build out a completely new AD structure, as we do not want these .locals in our environment.
Question by:Eric Hummel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863036
Why do you think you need multiple domains?  When Microsoft first released AD in Windows 2000 it was STRONGLY recommended to FLATTEN the network - as few domains as possible.  In general, you want ONE domain, properly structured with OUs that can be DELEGATED to local IT operations staff.

Author Comment

by:Eric Hummel
ID: 41863088
It was felt like with a Single Forest Multi-domain model, it would be much easier to snap in future companies that we purchase.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863357
How is that easier?  You have to build a domain for a future company and then build a second DC (increasing licensing costs) for redundancy.

Plan your OU structure appropriately and then all you have to do is create accounts and migrate users to your domain.  And as necessary delegate management authority over that OU.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41863358
When you acquire companies, you may be able to temporarily setup a trust (unless the acquired company has an SBS/Essentials/Foundation based network which doesn't permit trusts anyway.
LVL 12

Accepted Solution

zalazar earned 500 total points
ID: 41864561
With multiple domains you create an administrative boundary so in terms of who is able for what is somewhat easier.
If you would have different IT departments then a multiple forest model (with a forest trust) is probably better as in this case every IT department is responsible for managing/upgrading their own forest. This of course depends on the AD administration model you would use.

But with multiple domains/forests you have more AD administrative/maintenance work.
More domains/forests also requires more domain controllers so more servers which should also be managed/patched etc.
And with more domains/forests it can be more difficult to enforce security policies, settings and best practices.
With more domains the disaster recovery procedure is more difficult.

A single domain model is easier if you have more locations. Otherwise this would (for performance reasons) require domain controllers of every domain in every location.
If you have users from different companies that need access to shared applications/data then you need domain local groups as these can hold users/groups from different domains/forests. These domain local groups occupies 40 bytes in the Kerberos ticket compared to 8 bytes for a global security group.
Setting up software distribution with more domains/forest will probably also be more difficult.

With AD you have enough possibilities to create delegation via OU's and assign permissions to create e.g. user/group/computer objects within their own OU. Also for Group Policies you can setup delegation.
Instead of using the default delegation wizard I normally set these permissions manually as in this case you can set it more strict.
If you would work with more IT departments then it should probably be necessary to create an operational guide which describes how to do the administration, name conventions etc.

I have seen quite a lot of companies migrating their multiple domain environment back to one because of the administrative overhead and security reasons.

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question