Problem solve Get help with specific problems with your technologies, process and projects.

When and why should I create multiple domains in my Windows 2003 forest?

When and why should I create multiple domains in my Windows 2003 forest?
In the Windows NT world, domains were the only administrative unit that could be created. In Windows 2003's Active Directory you can create Domains, Sites, Organizational Units (OU), and even other forests. While the Windows domain still serves a purpose, it is not the default unit for administration. Microsoft clearly focused on the OU as the most flexible administrative unit.

When you utilize an OU instead of a domain you can still:

  • Delegate authority to manipulate objects and policy in the OU
  • Apply group policies to the OU
  • Move objects in and out of the OU
  • Rename, delete or otherwise manipulate the OU freely.

Domains are not nearly as flexible. You may certainly apply group policies to a domain and by definition the administration is delegated. However, the manipulation of the domain once it is created is not straight-forward. Special tools were finally created in Windows 2003 too assist in renaming a domain, but these are not completely trustworthy. A domain is a more permanent facet of the Active Directory and should be used in limited cases. Here are a couple criteria I use to justify the creation of an additional domain:

* Some part of the company that will use the other domain will need a different Account/Password group policy. The password policy is specific to a domain level and cannot be applied at the OU level. You may have a division that works with government contracts or a foreign country which could result in stricter policies for access.

* The division that you need a separate domain for is going potentially be sold or separated from the main company. A large company may have whole divisions that operate independent – almost a company within a company. They will have their own IT department, own balance sheet, and their own administration (CEO/COO). Making them separate domains facilitate spinning the division off into its own company or selling the division.

When considering creating another domain, keep in mind that the additional domains:

  • Require more administration
  • Require additional hardware (domain controllers)
  • Dramatically increase the complexity of administration (group policies, trusts,etc)
  • Require additional monitoring (replication issues, etc)

Many companies end up creating domains based on geography or distributed IT management model. This is truly unnecessary and causes them to be committed to a infrastructure that will not easily be altered to match changing business needs. The use of OUs and Sites creates a much more flexible infrastructure that can change with the business. Any time you consider creating a new domain you should seriously consider using OU's instead. Ask yourself:

  • Is my IT department expected to look the same in the next 5 years?
  • Is my company going to be involved in any mergers or acquisitions?
  • Do I need a separate policy to govern a group of users?
  • Does this need justify the purchasing of additional hardware and the increased cost of management of the solution?

Remember users and business administrators rely on you as their IT department to let them know what the impact of their request is. Be prepared to provide them with a justified reason that tracks back to dollars, business flexibility, or other business objectives.

Additional Information: http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx

Dig Deeper on Microsoft Active Directory

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.