When designing and deploying your Active Directory domains, be sure to keep the following important caveats, conventions and tips in mind:
- Always deploy a domain controller in the root domain of your forest first. It is not possible to install parent-domains; you can only install additional child domains to existing domains. For example, if you want to create mycompany.LAN and sales.mycompany.LAN, if you create sales.mycompany.LAN first, you will be unable to create mycompany.LAN in the established namespace.
- The first domain controller installed into a forest is the default host for the FSMO or Flexible Single Master Operations services: schema master, domain naming master, PDC emulator, RID master and infrastructure master. It is also the default global catalog server.
- The Domain Admins group found in the forest's root domain serves as the schema administrator's group for the forest.
- The root domain can be a standard domain with users and resources, or an empty domain. As an empty domain it has the sole purpose of maintaining the schema and domain-naming conventions. Plus, it helps restrict those with schema access, and ensures that the root domain is never obsolete or redundant.
- Since Active Directory relies upon DNS to function, provide at least two DNS servers in each domain to allow for fault tolerance and to better handle network congestion issues. You should also ensure that at least one high-speed network segment exists
- between each domain controller and the two (or more) DNS servers.
- A domain's name cannot be changed.
- Two domains cannot be directly merged. This process can be performed partially with the migration tool, but it does not offer a true merge capability. The migration tool was originally developed to move Windows NT users into Windows 2000 domains. It can be used to move Windows 2000 users between domains, but it is not always a smooth or easy process.
- A single domain cannot be split in two. This process must be performed manually (i.e., re-creating the accounts and resources in a second domain or using the migration tool) if this action is needed.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in April 2003