2

I have 6 x sites located all around the land down under. All 6 sites are linked via a meshed VPN network and can see each other.

Now, in Head Office i have 2 x AD Servers (1 backup) on the one domain. All others have their own servers on their own domains.

Example :

Head Office - 2008R2 Domain - office1.local (30 users) Branch Office 1 - 2008R2 Domain - office2.local (10 users) Branch Office 2 - 2008R2 Domain - office3.,local (10 users) etc etc

Each server in each branch holds a lot of file storage and staff want access to this quickly so servers must reside in each branch locally.

As i am about to replace all the hardware in all the branches (Servers and Desktops) i have the ability to change things hopefully to make it better.

Question.

What is the best scenario in terms of Domain setup? Should i keep them all separate domains? Should i make the branch servers secondary AD servers to the main one in Head Office? Should i put all the PC's on the Head Office domain and have them replicate from there?

What's the best practice for such a Domain Network?

Looking forward to your kind assistance.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Greg
  • 21
  • 1
  • possible duplicate of [What is Active Directory Domain Services and how does it work?](http://serverfault.com/questions/402580/what-is-active-directory-domain-services-and-how-does-it-work) – MDMarra Feb 02 '14 at 00:23
  • 2
    You'll want to read the question and answers that I marked this a duplicate of. You'll also want to avoid using made up TLDs like .local. At the risk of too much self promotion, you'll probably find useful information in the Active Directory [tag on my blog](http://www.mdmarra.com/search/label/active%20directory) as well. – MDMarra Feb 02 '14 at 00:24

3 Answers3

1

The best practice is to have the minimum number of domains to meet your needs. Sounds like you could have a single one.

What is Active Directory Domain Services and how does it work?

You need to do some serious reading about AD, since your terminology is wrong, when you say that you have a "backup" DC and that you might want "secondary" DCs.

Put a local DC in each office, part of your single domain; that DC can be a file server too. Or put Hyper-V and have a DC guest and a file server guest - that's a little more secure.

Community
  • 1
mfinni
  • 35,711
  • 3
  • 50
  • 86
1

I was in a similar situation with 15 offices, plus a CoLo facility. We replaced the VPN mesh network with an MPLS network, and consolidated to one domain. We serve about a total of 250 users, and our systems work much better. The amount of time we have saved on user and workstation setup and management has been significant with being able to deploy settings through the consolidated directory and being able to deploy settings once through group policy.

I would personally say not to bother with separate domains unless you are managing separate sites with more 250 users at each site, and you have administrators delegated to run each site, and if you have requirements for that kind of security. Active Directory scales to 100's of thousands of objects before you really have to worry about scaling issues.

The other thing you have worry about is connectivity between the sites, and ensuring sites are able to replicate at least once every 30-60 days depending on your tombstone settings.

David
  • 313
  • 2
  • 13
  • 1
    `I would personally say not to bother with separate domains unless you are managing separate sites with more 250 users at each site, and you have administrators delegated to run each site, and if you have requirements for that kind of security.` - A few things. The number of users shouldn't factor in to how many domains you need. A domain also isn't a security boundary. If you have security concerns, you need entirely separate forests. A domain is a management boundary, but with modern delegation tools and fine-grained password policies, there are few good reasons to use multiple domains now. – MDMarra Feb 02 '14 at 00:37
  • I basically concur, however there maybe management considerations where the business management want to have some isolation from other parts of the business, for various reasons. – David Feb 02 '14 at 00:44
  • 1
    Right, I understand that it's commonly used for that, but it's not a valid use. If you want isolation, you need a new forest. It's somewhat trivial for an administrator in a child domain to get enterprise admin rights in the root domain via SID History. Managers may ask for a child domain for isolation, but they're not asking for the right thing. True isolation requires a separate forest. Nowadays, you really only need child domains if you *really* want to minimize replication traffic. Think of a cruise ship with a sat link. That might require its own child domain. Little else does in 2014. – MDMarra Feb 02 '14 at 00:48
0

It all depends on how big your domains are, and how fast the VPN connections are. If the connections are slow, a single domain with too many changes may cause replication delay. If you have decent connection, and relatively small number of accounts/changes, always opt for a single domain for lower management overhead.

strongline
  • 592
  • 2
  • 8
  • Agreed - although very few companies still have slower than Mbit connectivity. If the sites have frac-T1, ISDN, or dialup, and AD has a lot of activity, then this is a very valid concern – mfinni Feb 02 '14 at 19:24