0

I work for a small organization which will be starting another branch of business here shortly. We have an existing active directory infrastructure and are looking to add another domain to the forest. At the same time, we are moving our existing infrastructure into a data center so the cost of additional servers is playing a huge factor in all this.

I've always been told that its a good practice to deploy redundant domain controllers within your environment. With that said, the organization is maxing out budget wise, and it will be difficult deploying redundant domain controllers within the data center for both domains. Is it possible to deploy some sort of redundancy in this scenario with only a single DC in each domain? For example, lets say I have domain1.mycorp.com and domain2.mycorp.com and both domains host only a single DC. If the domain2 DC went down, would it still be possible to authenticate users for domain2 from the domain1 DC? If this is possible, how would I go about doing so? Any help or insight would be greatly appreciated.

Thank you

user2891487
  • 1
  • 2
  • `We have an existing active directory infrastructure and are looking to add another domain to the forest` - Why? `I've always been told that its a good practice to deploy redundant domain controllers within your environment` - Yes it is and you should. `the organization is maxing out budget wise, and it will be difficult deploying redundant domain controllers within the data center for both domains` - Not if you use virtualization. `If the domain2 DC went down, would it still be possible to authenticate users for domain2 from the domain1 DC?` - No. – joeqwerty Mar 30 '15 at 19:32
  • Thanks Joe for the quick response. In answer to your question, the other branch of business is totally separate from our current business. What other option would you suggest to segregate the two? Virtualization is being used, but we are being charged for the additional resources needed to spin up the servers. At this time, we are exceeding our budget which has left me seeking alternatives methods. – user2891487 Mar 30 '15 at 19:39
  • Small org... keep to single domain, and use Organisational Units to "partition" your namespace. The only justification that I can see to do the contrary would be an administrative one, i.e.: different people looking after the two orgs. Even then, though, they're still in the same forest, so ultimately, someone still has "god" status. Mumble.. mumble... – Simon Catlin Mar 30 '15 at 21:30

2 Answers2

3

The reason that you are being told to have redundant domain controllers is primarily for fault tolerance. There are a myriad of other benefits for having redundant domain controllers but being able to have the services offered by the domain controller stay up, always, can be very important to you moving forward.

Regarding the multi domain advertisement from a single domain controller, that cannot be done.

Some fault tolerant points to consider:

  • If you are having issues with a domain controller in the middle of the day and need to reboot it or work on it for some reason, there is a good chance that all of your services that are dependent upon the Active Directory domain are unavailable. Therefore, all of your users are having some level of outage. Example issues: Exchange and SQL server have service accounts that look for AD for end user access......well...almost everything. No DC, no work.

  • All of your authentication (in your scenario) will be traveling over your WAN link to the data center in order for end users to authenticate. You have multiple points of failure related to your connectivity, not having a domain controller local could pose challenges when you have connectivity issues with your ISP.

  • Your entire security context is advertised in active directory. All of your users objects, group objects, computer/server objects, etc...are stored in your AD. Everything related to security attributes of everything in the domain. If you lose that domain controller and cannot restore, for whatever reason, you are rebuilding your domain, rejoining all of your computers to a news one, recreating user accounts, it goes on and on....you get the idea.

IMHO, it's not worth the risk to have a single domain controller advertising your domain. If there are budget constraints then empowering yourself on the skills of 'managing up' to set cost expectations and priorities with your leadership team will be invaluable to you in your career.

Citizen
  • 1,103
  • 1
  • 10
  • 19
0

Given the size of our environment, we kept it to a single domain and used OU's to segregate the two branches of business.

user2891487
  • 1
  • 2