I work in a site that has four distinctly separate locations, which are connected via wireless and fiber links. I have had difficulty getting a consensus of opinion as to the best practical design for our AD environment. Currently we have one domain, where I believe -- due to the different security requirements -- we should have separate domains. In fact I like the idea of a separate empty top-level domain with multiple sub-domains to separate away administrative involvement within each. Do you have a best practice advise where consensus cannot be reached?
In a Windows Server 2003 environment, the best way to think of the domain structure is that it constitutes an administrative boundary. There are certain policies, including password, Kerberos and account lockout policies, that can only be set at the domain level; if you have a subset of users who have substantially different needs in that area, you'll need to create a separate domain for them. You can also create separate domains to delegate authority to different groups of administrators, though this can in most cases be done better and more securely through the use of organizational units. The thing to keep in mind is that a domain constitutes an administrative boundary, not a security boundary. So if you have a group of users/resources that need to be completely segregated from the rest of your network, you're really better off putting them within a separate forest, not just a separate domain within the same forest. Take a look at the
Professor Windows article on Active Directory design best practices
to get you started.