We are a company with several divisions and we are considering moving to Windows 2000 and Active Directory (AD). We currently have NT domains per division plus a central controlling domain. Divestiture of some divisions is on the cards in the next year or so. What AD model would make separation of divisions easiest?
Generally in Windows 2000 Active Directory it is easier to manage organizational units (OUs) instead of multiple domains. Multiple domains -- especially if you need to share resources between the various domains -- can result in the need for additional hardware to support the infrastructure. You will need two Global Catalog Servers for each of the domains present in the geographical locations (or closest subnet) of the other domain users that need to share the resources. However, there are some compelling reasons to create additional domains:
Account policy differences (account policies are always domain-wide and cannot be applied to OUs)
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Separation of business model (this would be along the lines of your divestiture of some of the business divisions)
Separation of IT responsibility (if each division has its own IT staff and there is no desire/movement to bring the work under a central staff)
The use of OUs generally offers you more flexibility in management, application of group policy and movement of objects within the entire infrastructure. However, for the reasons stated above, I would suggest that you consolidate only those divisions that do not look to be divested at any time. If a business decision is made to divest -- it is just a little more work and planning that you will need to do to move them out into their own domain and send them on their merry way. For those divisions already earmarked -- keeping separate domains would be the best configuration.