Re: Active Directory in a huge single forest

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/27/05

• Next message: Jason: "What is the SNMP version built-in to Windows 2003"
• Previous message: BCE: "Re: Cannot log into server"
• In reply to: jfprieur_at_gmail.com: "Active Directory in a huge single forest"
• Next in thread: jfprieur_at_gmail.com: "Re: Active Directory in a huge single forest"
• Reply: jfprieur_at_gmail.com: "Re: Active Directory in a huge single forest"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 26 Jan 2005 20:07:58 -0600

<jfprieur@gmail.com> wrote in message
news:1106759229.170064.161300@c13g2000cwb.googlegroups.com...
> Hello,
>
> I just got asked to provide a 'worst-case' report for our enterprise
> active directory.
>
> The architecture chosen was a single forest/multiple domain model. At
> that time, that it was MS was recommending for enterprises. Since then
> that recommendation has changed, but this is already in production and
> migration has started.

It is still correct in many instances.

> Win2K servers are the current infrastructure
> servers (DC', FSMO's, etc.) Eventually we are talking 50000+
> workstations in this forest.

That is not "huge" -- it's on the low side of large for AD.

> For reasons that I won't get into here, there are/will be 2000+ domain
> controllers spread across the multiple domains, spread all over the
> world.
>
> Reading the best practices recommendations for AD recovery published by
> Microsoft, it lists in its recovery steps that you must switch off
> every DC. You can well see that this would be a significant impact,
> with business continuity implications.

What KB? Most people never have to do that.

> Now there are mitigating factors: Only 3 enterprise admins, very
> strenuous change control and testing for the schema (Microsoft called
> it one of the best implementations it has seen). MS stated that a full
> forest meltdown has only occured three times, all related to poor
> planning and implementation.
>
> I guess what I am asking is, do you see anything in Windows 2003 that
> would mitigate this? A migration is planned but not in the near future.

Improved replication is one of the main improvements of
Win2003.

> Is there anything (high-level) that we can do right now to reduce the
> (miniscule) risk even further? A cost-benefit analysis was performed on
> migrating to a multiple forest model, but this would cost more than the
> current NT-> 2000/XP migration that we are going through right now.

You are likely better off the way you are IF it is currently
replicating with no significant problems (I would bet.)

> I know my questions are pretty broad, just a good discussion on this
> subject would be very helpful.

What sort of WANS?

Why so many DCs?

How many Sites?

How are your Site Links and Site Link Bridge (groups) setup?

-- 
Herb Martin
<jfprieur@gmail.com> wrote in message
news:1106759229.170064.161300@c13g2000cwb.googlegroups.com...
> Hello,
>
> I just got asked to provide a 'worst-case' report for our enterprise
> active directory.
>
> The architecture chosen was a single forest/multiple domain model. At
> that time, that it was MS was recommending for enterprises. Since then
> that recommendation has changed, but this is already in production and
> migration has started. Win2K servers are the current infrastructure
> servers (DC', FSMO's, etc.) Eventually we are talking 50000+
> workstations in this forest.
>
> For reasons that I won't get into here, there are/will be 2000+ domain
> controllers spread across the multiple domains, spread all over the
> world.
>
> Reading the best practices recommendations for AD recovery published by
> Microsoft, it lists in its recovery steps that you must switch off
> every DC. You can well see that this would be a significant impact,
> with business continuity implications.
>
> Now there are mitigating factors: Only 3 enterprise admins, very
> strenuous change control and testing for the schema (Microsoft called
> it one of the best implementations it has seen). MS stated that a full
> forest meltdown has only occured three times, all related to poor
> planning and implementation.
>
> I guess what I am asking is, do you see anything in Windows 2003 that
> would mitigate this? A migration is planned but not in the near future.
> Is there anything (high-level) that we can do right now to reduce the
> (miniscule) risk even further? A cost-benefit analysis was performed on
> migrating to a multiple forest model, but this would cost more than the
> current NT-> 2000/XP migration that we are going through right  now.
>
> I know my questions are pretty broad, just a good discussion on this
> subject would be very helpful.
>
> Thanks,
>

• Next message: Jason: "What is the SNMP version built-in to Windows 2003"
• Previous message: BCE: "Re: Cannot log into server"
• In reply to: jfprieur_at_gmail.com: "Active Directory in a huge single forest"
• Next in thread: jfprieur_at_gmail.com: "Re: Active Directory in a huge single forest"
• Reply: jfprieur_at_gmail.com: "Re: Active Directory in a huge single forest"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint