I work in a site that has four distinctly separate locations, which are connected via wireless and fiber links. I have had difficulty getting a consensus of opinion as to the best practical design for our AD environment. Currently we have one domain, where I believe -- due to the different security requirements -- we should have separate domains. In fact I like the idea of a separate empty top-level domain with multiple sub-domains to separate away administrative involvement within each. Do you have a best practice advise where consensus cannot be reached?
In a Windows Server 2003 environment, the best way to think of the domain structure is that it constitutes an administrative boundary. There are certain policies, including password, Kerberos and account lockout policies, that can only be set at the domain level; if you have a subset of users who have substantially different needs in that area, you'll need to create a separate domain for them. You can also create separate domains to delegate authority to different groups of administrators, though this can in most cases be done better and more securely through the use of organizational units. The thing to keep in mind is that a domain constitutes an administrative boundary, not a security boundary. So if you have a group of users/resources that need to be completely segregated from the rest of your network, you're really better off putting them within a separate forest, not just a separate domain within the same forest. Take a look at the
Professor Windows article on Active Directory design best practices
to get you started.
Dig deeper on Microsoft Active Directory Design and Administration
Active Directory expert Laura E. Hunter offers some advice for changing the IP addresses of domain controllers.continue reading
An admin needs to grant user access rights for those needing to traverse directory trees. Our server management expert explains how to use Group ...continue reading
An admin has two domains and two Active Directories. He wants to know how to join the Active Directories so that internal staff can access both, but ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.