Best Practice Active Directory Structure/Design

Hello,

We are in our organization discussing different architectures for Active
Directory.

our organization has about 65 sites and across country

i am wondering what would be the best solution, 1 domain for all the sites
or one domain per site.

Could you help us in this investigation?

What are the pros and cons of both solutions in this area?

Thanks in advance

Hello Tal Bar-Or,

If you don't have a need for a real security boundary, which requires a separate
forest, i would use a single forest domain with one, better 2, DC/DNS/GC
in each site and create OUs for each site with the user/computer accounts.
This way you can delegate administration to site admins without making them
domain admin also.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> We are in our organization discussing different architectures for
> Active Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>

"Tal Bar-Or" <tal_baror@hotmail.com> wrote in message
news:u3eYXsYTKHA.5052@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> We are in our organization discussing different architectures for Active
> Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>

As noted, one domain makes sense, unless security policy requirements
dictate more (but certainly not 65). The bigger question is how to design
your OU's. An obvious solution is one OU per site. Each OU can have separate
group policy. Another option would be OU's for organization functions, like
sales or engineering or accounting. You can still have 65 Site objects in
AD. Group policies can also be applied to sites. In general, it is best to
minimize the number of domains.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Thanks :-)
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d795f8cc1bb42aa70704@msnews.microsoft.com...
> Hello Tal Bar-Or,
>
> If you don't have a need for a real security boundary, which requires a
> separate forest, i would use a single forest domain with one, better 2,
> DC/DNS/GC in each site and create OUs for each site with the user/computer
> accounts. This way you can delegate administration to site admins without
> making them domain admin also.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello,
>>
>> We are in our organization discussing different architectures for
>> Active Directory.
>>
>> our organization has about 65 sites and across country
>>
>> i am wondering what would be the best solution, 1 domain for all the
>> sites or one domain per site.
>>
>> Could you help us in this investigation?
>>
>> What are the pros and cons of both solutions in this area?
>>
>> Thanks in advance
>>
>
>

Hi
There's no "one solution fits all".
As others said, by general rule 1 Domain/Forest should be enough to perform
the job, but there're ather things to consider, OU Design model, Sites
Model, GPO, Management, Patching, Security, etc...

Before decide anything, you should read some documents that MS has for
Active Directory Deployment/Design
You can start here
Best Practice Active Directory Design for Managing Windows Networks
http://technet.microsoft.com/en-us/l.../bb727085.aspx
Planning an Active Directory Deployment
http://technet.microsoft.com/en-us/l...78(WS.10).aspx

--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.



"Tal Bar-Or" <tal_baror@hotmail.com> wrote in message
news:u3eYXsYTKHA.5052@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> We are in our organization discussing different architectures for Active
> Directory.
>
> our organization has about 65 sites and across country
>
> i am wondering what would be the best solution, 1 domain for all the
> sites or one domain per site.
>
> Could you help us in this investigation?
>
> What are the pros and cons of both solutions in this area?
>
> Thanks in advance
>
>