Q

Best practical design of an Active Directory environment in four separate locations

I work in a site that has four distinctly separate locations, which are connected via wireless and fiber links. I have had difficulty getting a consensus of opinion as to the best practical design for our AD environment. Currently we have one domain, where I believe -- due to the different security requirements -- we should have separate domains. In fact I like the idea of a separate empty top-level domain with multiple sub-domains to separate away administrative involvement within each. Do you have a best practice advise where consensus cannot be reached?

I work in a site that has four distinctly separate locations, which are connected via wireless and fiber links. I have had difficulty getting a consensus of opinion as to the best practical design for our AD environment. Currently we have one domain, where I believe -- due to the different security requirements -- we should have separate domains. In fact I like the idea of a separate empty top-level domain with multiple sub-domains to separate away administrative involvement within each. Do you have a best practice advise where consensus cannot be reached?
In a Windows Server 2003 environment, the best way to think of the domain structure is that it constitutes an administrative boundary. There are certain policies, including password, Kerberos and account lockout policies, that can only be set at the domain level; if you have a subset of users who have substantially different needs in that area, you'll need to create a separate domain for them. You can also create separate domains to delegate authority to different groups of administrators, though this can in most cases be done better and more securely through the use of organizational units. The thing to keep in mind is that a domain constitutes an administrative boundary, not a security boundary. So if you have a group of users/resources that need to be completely segregated from the rest of your network, you're really better off putting them within a separate forest, not just a separate domain within the same forest. Take a look at the Professor Windows article on Active Directory design best practices to get you started.
This was first published in November 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close