5

I am inheriting existing infrastructure for a hotel group, and trying to overhaul said infrastructure.

The hotels (HotelA, HotelB, etc) were initially set up with one domain (and one domain controller) each. This is somewhat difficult to manage because each hotel has its own domain (which means we end up having to import/export GPOs across domains just to make sure they are all standardized, inventory issues, software deployment issues, etc). There are no trusts between domains.

I now have the chance to combine all the "individual" hotel domains into a large domain, say ad.hotelgroup.com. Is this a good idea or not? There is some pushback from the group as they want each hotel to be effectively standalone so that when it gets sold to a new owner there is no additional work needed to be done.

However, I believe that managing a single domain is much less painful than managing multiple domains. It also allows there to be multiple redundant DCs, and allows us to share MDT and WSUS servers, something we could not do before.

What do you guys think?

ryanswj
  • 71
  • 1
  • 2
  • 2
    `It also allows there to be multiple redundant DCs` - Whether you have one domain or several, you should have multiple DC's. This isn't exclusive to your "one domain" proposal. There's nothing preventing you from deploying additional DC's in the existing domains. – joeqwerty Dec 22 '19 at 19:35

2 Answers2

2

This will not be an easy answer as there are a lot of things to consider. But there are few key arguments within your post.

.. as they want each hotel to be standalone so that when it gets sold to a new owner there is no additional work needed to be done.

This is a valid point and there will be no easy way to do this in one domain. Even in one forest this can be a bit tricky sometimes.

and allows us to share MDT and WSUS servers, something we could not do before.

MDT and WSUS are not domain-bound or authenticated and can be run through multiple domains. You don't need one per Domain.

ad.hotelgroup.com. Is this a good idea or not

Usually it is, yes. If the key feature is "easy separation", it's most probably not.

bjoster
  • 4,805
  • 5
  • 25
  • 33
1

each hotel has its own domain ... There are no trusts between domains..

This is not a scalable AD architecture.

Even if they did approve and fund it, which seems unlikely, I'm inclined to think that converting this would be beyond the organization's capability and appetite for change. When the decision was made for the current architecture, they essentially pressed the ****-it button and conceded that reasonable technology management and architecture is not a priority.

What you may want to consider is creating a management forest, and configure each of the domains/forest(s) to trust that forest. That would help with some, but not all problems, create minimal friction, and preserve the existing architecture.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82