Active Directory Design Question
I am doing a assignment and in it I have been asked to design the active directory for the head office in Melbourne and one branch office in another state. I was thinking of creating a child domain for each state, and then each store part of there local
state domain. Each store would then have a group policy that is part of there local child domain. Then I thought the head office would have its own group policy that would need to be part of its own store and part of all the other states as well, but they
are within another child domain. Say the CEO, he will need authority of the head office domain and all the other states domains as well, is this done with trusts or inheritance?. How can the state group policies be part of the regional management OU without
being part of there local staff OUs?
April 17th, 2011 2:54am
Hello,
why the use of child domains?
If you want to use child domains then it will be recommanded to have at least two DCs servers per domain.
You can use an only one domain with:
Two RWDC in the head office: 2 DC/DNS/GC servers one RODC with enabled password caching in the branch office
That would be enough to ensure the high-availability of the AD service and even the WAN connections between the head and the branch office is down, users in branch office will still be able to logon.
If you were planning to add child domains for multiple password policies, you can use one domain with 2008 DCs and create multiple PSOs.
For more information about the AD DS Fine-Grained password policies, refer to this Microsoft article:
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
For group policies, you can link them to sites.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2011 6:50am
I would recommend one domain, unless different organizations with different policies will manage the separate domains. You can have different OU's (and Sites) for different states/locations, and separater Group Policies can apply to each OU (or
you can have one Group Policy for the domain). You also can delegate authority for most tasks to local Admins in each OU. See this link:
http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx
Having more than one domain generally just adds complications.
Richard Mueller - MVP Directory Services
April 17th, 2011 12:25pm
Based on the requirements you described so far, there is no reason to introduce additional domains into the design. You should always plan for a single forest single domain model unless there are requirements that cannot be met by this design.
This is the recommended best practice for designing Active Directory.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2011 1:33pm
The reason I thought of the child domains is because it is a e commerce company and has a large database and was thinking of doing it to minimize replication over large distances, but is unnecessary. Thanks for your help everyone.
April 17th, 2011 6:35pm
Hello,
if you do not have any security related requirements use a single forest domain instead and manage the sites with OUs where delegated control is used for the site specific managers without making them admin.
This way you can work with less DCs and backup/restore is less then with root/cild domains. Keep in mind taht recommended are 2 DC/DNS/GC per domain and they must be maintained and replaced after some years etc.
WIth OU design in AD UC you can achive all requirements to manage the sites and the main office with creating seprate GPOs linked to the OUs.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 3:58am