DESKTOP

Designing a Windows Server 2008 R2 Active Directory : Understanding the Multiple Domain Model

1/22/2011 9:18:04 AM
For various reasons, organizations might need to add more than one domain to their environment but preserve the functionality that is inherent in a single forest. When this occurs, the addition of one or multiple domains into the forest is warranted. Domain addition should not be taken lightly, however, and proper consideration must be given to the particular characteristics of multiple domain models.

By default, two-way transitive trusts exist between subdomains and domains in AD DS. Bear in mind, however, that this does not mean that resource access is automatically granted to members of other domains. A user in subdomain B is not automatically granted any rights in domain A; the rights need to be explicitly defined through the use of groups. Understanding this concept will help to determine the logistics of domain addition.

Choosing When to Add Additional Domains

As previously mentioned, it is advisable to begin your Windows Server 2008 R2 AD DS design with a single domain and then add domains only when absolutely necessary. Adding child domains to an existing domain structure might become necessary if the following traits exist within an infrastructure:

  • Decentralized administration— If different branches of an organization generally manage their own IT structure and there are no future plans to consolidate them into a centralized model, multiple interconnected domains might be ideal. Each domain acts as a security boundary for most types of activity and can be set up to disallow administration from escaping the boundaries of domains. This approach, however, exposes many of the limitations associated with a multiple domain environment. In other words, it is better to try to centralize administration before deploying AD DS because you will gain more of AD’s advantages. It is also much better to organize administration along organizational unit boundaries than by domains, so consider this option first.

  • Geographic limitations— If extremely slow or unreliable links or great geographical distances separate different parts of your company, it might be wise to segment the user population into separate domains. This will help to limit replication activity between domains and also make it easier to provide support during business hours for distant time zones. Keep in mind that slow links by themselves do not necessitate the creation of multiple domains, as Windows Server 2008 R2 AD DS uses the concept of AD DS sites to throttle replication across slow links. The main reason that might exist for domain creation for geographical reasons is administrative flexibility. In other words, if there is a problem with the network in Japan, a Japanese administrator will have more power to administer the Asia domain and will not need to call the North American administrator in the middle of the night.

  • Unique DNS namespace considerations— If two organizational entities want to use their Internet-registered namespace for AD DS but use a common forest, such as hotmail.com or microsoft.com, those domains must be added as separate domains.

  • Enhanced security concerns— Depending on the needs of your organization, separating the schema master role into a domain separate from your users might be applicable. In this case, the single domain model would not be applicable, and a model such as the peer-root or placeholder domain would be more appropriate.

When contemplating additional domains, remember the mantra, “Simplicity is best.” However, if during the design process, the specific need arises to add domains, proper design is still warranted, or your environment will run the risk of becoming more inefficient than it could be.

Exploring a Multiple Domain Real-World Design Example

The following example illustrates an organization that would have grounds to establish multiple domains. CompanyB is an engineering company based in York, Pennsylvania. Administration for all branch locations is currently centralized in the home office, and OUs and group policies are used for delegation of lower-level tasks. Recently, the company acquired two separate companies named Subsidiary A and Subsidiary B; each contains its own IT department and operates in separate geographical areas. CompanyB decided to implement AD DS as part of a Windows Server 2008 R2 implementation and wanted to include the two acquired companies into a single common forest.

Because each acquired company possesses its own IT department and there was no agreement on the ownership of the Domain Admins accounts, CompanyB decided to deploy an AD DS structure with two subdomains for Subsidiary A and Subsidiary B, as shown in Figure 1.

Figure 1. AD DS with two subdomains.


This design model allowed for a certain degree of administrative freedom with the newly acquired subsidiaries but also allowed for a common forest and schema to be used and kept the domains within the same DNS namespace.

This design model has the particular advantage of being politically easier to implement than consolidation of existing domains. Branch offices and subsidiary companies can keep their own domain structure and security boundaries, and their IT teams can retain a greater deal of administrative autonomy.

Be warned, however, that consolidation of a larger number of domains into fewer domains is a key feature of AD DS, so the addition of domains purely for political reasons adds complexity and potentially unnecessary infrastructure. It is, therefore, very important to consider the alternatives before deciding on this design model.

Other  
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Single Domain Model
  •  Windows 7: Optimizing Performance (part 3) - Using ReadyBoost to Enhance Performance
  •  Windows 7: Optimizing Performance (part 2) - Fine-Tuning Virtual Memory & Data Execution Prevention
  •  Windows 7: Optimizing Performance (part 1) - Fine-Tuning Visual Effects & Application Performance
  •  Designing a Windows Server 2008 R2 Active Directory : Choosing a Domain Structure
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding AD DS Domain Design
  •  Personalizing Windows 7 (part 6) - Configuring Your Monitors
  •  Personalizing Windows 7 (part 5) - Choosing Your Mouse Pointers
  •  Personalizing Windows 7 (part 4) - Choosing Your System Sounds
  •  Personalizing Windows 7 (part 3) - Choosing and Configuring Your Screensaver
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 3) - Auditing Changes Made to AD Objects
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 2) - Implementing Multiple Password Policies per Domain
  •  Outlining AD DS Changes in Windows Server 2008 R2 (part 1)
  •  Personalizing Windows 7 (part 2) - Choosing Your Desktop Background
  •  Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of DNS in AD DS
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Explaining AD DS Replication
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of Groups in an AD DS Environment
  •  Understanding Windows 7 Personalization
  •  Windows 7 : Understanding User Account Control and Its Impact on Performance
  •  
    Most View
    HP Envy 4 - Ultra Envious
    Buying Tips: Router Bargains
    Some Of The Biggest Brands In The World Had Their Products (Part 3) - Lenono IdeaPad S400, Samsung Galaxy Tab 2 7.0
    SharePoint 2010 : SharePoint Fundamentals (part 1) - Sites and Site Collections
    How To Buy A Hard Drive (Part 1)
    Next – Gen Broadband – Optimizing Your Current Broadband Connection (Part 3)
    OS X Server - Normal Servers (Part 2)
    The Big Show: LG Optimus Vu
    Grouptest Headphones: $150-$210 - Phone Home (Part 2) - DT - 440
    The Slithery World Of Hybrid Cloud Security
    Top 10
    The Performance Review Of AMD Radeon HD 7790 And Nvidia GeForce GTX 650 Ti BOOST (Part 4)
    The Performance Review Of AMD Radeon HD 7790 And Nvidia GeForce GTX 650 Ti BOOST (Part 3)
    The Performance Review Of AMD Radeon HD 7790 And Nvidia GeForce GTX 650 Ti BOOST (Part 2)
    The Performance Review Of AMD Radeon HD 7790 And Nvidia GeForce GTX 650 Ti BOOST (Part 1)
    Turtle Beach Ear Force XP Seven Headset - A New Era Of Tournament-Level Gaming Audio (Part 3)
    Turtle Beach Ear Force XP Seven Headset - A New Era Of Tournament-Level Gaming Audio (Part 2)
    Turtle Beach Ear Force XP Seven Headset - A New Era Of Tournament-Level Gaming Audio (Part 1)
    The NZXT Kraken X40 Compact Liquid Cooler Review (Part 1)
    The NZXT Kraken X40 Compact Liquid Cooler Review (Part 3)
    The NZXT Kraken X40 Compact Liquid Cooler Review (Part 2)