Maximize your AD domain design

Considerations for good design.

Active Directory networks are organized using four types of divisions or container structures. These four divisions

are forests, domains, organizational units and sites. When you are designing your network, it is important to use these divisions to their maximum potential. Let's take a closer look at the domain division.

Domain divisions are most often used as logical containers. However, Microsoft recommends that you employ domains also as physical containers. In other words, create domains whose members are all geographically close rather than distant. This is an important design aspect since the level of traffic within a domain is considerably higher than that between one domain and another. In general, a domain with limited physical size is less likely to include expensive WAN links or pay-per-bit connections. When slow links must be included in a network design, it is often beneficial to create multiple domains connected by the slower connections.

Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide group policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authentication is on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.

If you are migrating from a Windows NT environment to Windows 2000 or Windows 2003, there are a few additional issues to be aware of when designing domains. It is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possible to delegate administrative privileges based on organizational units. Domains are no longer restricted by a 40,000-user limit. Active Directory domains can manage millions of objects. There are no longer PDCs and BDCs. Instead, Active Directory uses multi-master replication and all domain controllers are peers

This was first published in April 2003

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close