Problem solve Get help with specific problems with your technologies, process and projects.

Maximize your AD domain design

Considerations for good design.

Active Directory networks are organized using four types of divisions or container structures. These four divisions...

are forests, domains, organizational units and sites. When you are designing your network, it is important to use these divisions to their maximum potential. Let's take a closer look at the domain division.

Domain divisions are most often used as logical containers. However, Microsoft recommends that you employ domains also as physical containers. In other words, create domains whose members are all geographically close rather than distant. This is an important design aspect since the level of traffic within a domain is considerably higher than that between one domain and another. In general, a domain with limited physical size is less likely to include expensive WAN links or pay-per-bit connections. When slow links must be included in a network design, it is often beneficial to create multiple domains connected by the slower connections.

Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide group policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authentication is on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.

If you are migrating from a Windows NT environment to Windows 2000 or Windows 2003, there are a few additional issues to be aware of when designing domains. It is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possible to delegate administrative privileges based on organizational units. Domains are no longer restricted by a 40,000-user limit. Active Directory domains can manage millions of objects. There are no longer PDCs and BDCs. Instead, Active Directory uses multi-master replication and all domain controllers are peers

This was last published in April 2003

Dig Deeper on Windows Server and Network Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.