3

I work for an educational establishment that currently has three geograpically seperate schools, and about to open a fourth. Each school has 600+ computers and 1000+ users.

At the moment our Active Directory is set up to split the schools into three domains.

  • school1.internal
  • school2.school1.internal
  • school3.school1.internal

Each school is mostly independent from each other, with very few users that need to cross over. There is one Exchange server group but with one server at each school.

The network director has decided that he wants Exchange to be externally managed, as "School1" have messed about so much with theirs that it no longer works correctly.

The company that is doing this outsourcing has suggested that it may be better to have one domain with separate Organisation Units for each site, my thoughts are they want to do this as it's easier for them.

The way we've been running has served us quite well, with very little being able to cause any issues with the other schools when one has a problem, I would prefer not to change as this change will no doubt, at least in the beginning, introduce some instability.

The three sites are currently connected by 2Mbit links, when the 4th school opens then the schools will be moved over to a 100mbit link (this is a separate project and more to do with a new VLE than as a network issue)

What would be the arguments for and against a multi domain setup or a location OU based setup?

Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
Tubs
  • 1,204
  • 3
  • 12
  • 19

3 Answers3

3

AS there is little crossover requirements I would recommend setting them up as suggested, one domain with appropriate OU's beneath them.

If setup with the relevant "sites" with at least one domain controller at each and with at least one Global Catalog at each site (no reason not to have each DC be a GC)

Once you migrate to the 100MB/s WAN even high volume DFS transfers would pose little issue.

Maintaining it as one domain with multiple sites and appropriate OUs for permissions, installations, group security etc. means that should all domain controllers in one site fail, all machines, with the exception of machines that are told specifically to look at one domain controller for authentication e.g. an application that is querying a domain controller for LDAP services, should still be able to log in and use network resources.

Over a 2Mb/s link this would be suboptimal but should be an edge case scenario, i.e. server room burns down but comms room is okay etc. Over a 100Mb/s link how is that any different to a normal domain config?

Dan
  • 852
  • 1
  • 8
  • 28
  • Dan, you're right about the way to design a new domain/forest structure, I absolutely agree. But as the OP appears to be talking about a currently existing multi-domain structure, are you really saying they should change that if they're happy with it? – Rob Moir Jun 08 '09 at 10:48
  • Just for info, School1 has 3 DCs, School2 has 2 DCs school3 has 4 DCs and school4 will have 3 DCs. These computers do nothing other than service Logons - as we can get 2400 logon/logoff events in a 10 minute time frame (up to 8 times a day) they actually get put under a bit of stress - at least for DCs. – Tubs Jun 08 '09 at 11:13
  • Hi Robert, I may be misinterpreting the question, when I read "have one domain with separate Organisation Units for each site" I assumed a new domain. Honestly, I think *I* would change it to a completely new domain. It's an oppurtunity for a clean slate and a purge of all old objects and bad design (if applicable). I do appreciate that this may mean additional work but would leave the new domain in a good, stable state. – Dan Jun 08 '09 at 11:31
  • You might be right Dan, but to a certain degree I'm part of the "if it ain't broke" crowd and I also work in education so I know how much time and financial pressure they're probably under. I'd still love to hear how the people they're outsourcing exchange to justify their asking for it. – Rob Moir Jun 08 '09 at 11:35
  • Yes, it would be a new domain in the forest - in fact what they are proposing is that School4 is created in line with the others, then OUs/accounts/computers are moved to the new domain. Although this information is coming third hand, thats the gist of things. – Tubs Jun 08 '09 at 12:50
1

In general terms, they are correct that when you design AD you should use as few domains as possible. With a pending upgrade to 100Mb links, there's arguably no technical reason not to do this.

However, you're not creating a new forest, as you well know, so the question becomes is there any real reason why you need to collapse a design that you're presumably happy with and which works well, and I say no - I maybe wouldn't have designed it this way to start with but I couldn't justify the upheaval of changing it. It seems like a lot of work and the best you can hope for as a result is that the currently working system will continue to work. (I'm thinking about the perspective of your students and teaching staff here, whether or not the would be a large enough reduction in support costs from doing this is another, seperate consideration).

Exchange can work quite happily with users from several domains in the same forest so I am honestly not sure why the people you're outsourcing Exchange management to are asking about this. Perhaps someone should ask them their justification for asking for a major change to be made to a setup that currently works well. And if they say that Exchange needs it, fire them, they don't know what they're talking about.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • "should use as few domains as possible" - you don't have a reference for this do you? Just so I can read up with it. – Tubs Jun 08 '09 at 10:30
  • @Tubs, you know, I'm not sure of a site that will actually use those words, but I can point you to: http://technet.microsoft.com/en-us/library/cc268203.aspx http://www.informit.com/articles/article.aspx?p=32080&seqNum=5 both of which discuss forest design and list the single domain model as a starting point, and then the reasons why you'd need to go higher, and there are less technical reasons than one might think (political reasons are valid too). I still wouldn't advocate ripping out your perfectly good working current design though, just to conform to the manual. – Rob Moir Jun 08 '09 at 10:47
0

A few things to consider (and this takes into consideration the upgraded bandwidth between sites):

  • The domain is not a security boundary. So from a security perspective, if they are domain admins of their domains (and not others), you get to a more secure situation by using OUs and delegated rights. Domain admins can escalate to take over the forest, meaning they can gain control of any other domain in the forest.
  • By going to a single domain, you can rely on DCs at other sites should problems develop with the DCs on site. While this is less than ideal, it would eliminate the requirement to put additional DCs at other sites for each domain.
  • There is a lot to be said with maintaining the status quo as it reduces your risk and work initially. However, consider that by collapsing to a single domain, a lot of work gets reduced over the long term, especially as you consider an AD upgrade for each domain. You would be looking at upgrading 4 domains under the current model. By shrinking to 1 domain, you're doing that upgrade once.
K. Brian Kelley
  • 9,034
  • 32
  • 33