Re: Active Directory in a huge single forest

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/27/05 

Date: Wed, 26 Jan 2005 22:27:01 -0600

> Also be careful about what MS says, what they depends entirely on who says
it.
> If it MCS people, I would take the statements with a grain of salt. If you
were
> talking with the Dev people you might have gotten more substantial
responses.

What Joe said with this addition -- It can go the other
way too: Sometimes the Dev people don't know the
real world (only the technical truth about the product)
and the MCS are at times people with experience like
Joe.

Sometimes what MS says, is what a 1st or 2nd level
support person wrote for the KB (they are graded on
how many they write) and sometimes that support
person nails it perfectly.

In other words, it is a big place and everyone has an
opinion. Opinions are like noses, some smell better
than others. 

-- 
Herb Martin
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OJ39DuBBFHA.3700@tk2msftngp13.phx.gbl...
> Don't want to bust your bubble but 50k workstations isn't really too
large. I
> have run single domains larger than that. You can chase my resume if you
want,
> it isn't a line. My last ops position was 250,000 users in a single forest
which
> I had migrated from hundreds of NT4 domains over the course of several
years.
>
> Also be careful about what MS says, what they depends entirely on who says
it.
> If it MCS people, I would take the statements with a grain of salt. If you
were
> talking with the Dev people you might have gotten more substantial
responses.
> Don't get me wrong, some of the MCS people are pretty good. But you need
to
> balance everything you hear from them. Most of them really don't have
large
> scale experience.
>
> I would tend to agree that large scale meltdowns aren't all that common. I
don't
> think they can state how many there have been. That isn't info that is
generally
> published and broadcast inside of MS or out. I would also agree that you
have to
> tend to do some pretty bad things to get into that situation.
>
> I would be a bit concerned with the number of DCs. That seems excessive
and
> probably isn't needed. Every DC is admin overhead and the more you get the
more
> pain it is monitoring replication and such. For those 250k users I
mentioned
> above we had ~400 DCs in 11 domains, that was even too much to be honest.
We
> didn't need anywhere near that overhead and coverage. Every chance we got
we
> shut down extra DCs.
>
> If you aren't deployed yet, I wouldn't consider deploying anything but
Windows
> Server 2003. There are massive changes throughout that correct issues the
large
> deployments such as mine ran headlong into and made MS fix.
>
> I don't generally recommend multiple forests except for DMZ, Extranet,
Test/R&D,
> and if you have a centralized Exchange deployment I would seriously
consider a
> separate forest for Exchange.
>
> I wouldn't be overly concerned with complete disaster failover scenarios.
> Definitely keep it in mind, but don't burn the midnight oil on it. The
solution
> we came up with that has now become a popular solution is to use some
virtual
> servers to maintain some virtual DCs for each domain. Those DCs are shut
down
> daily and the files backed up. In the event of a disaster, you can have
those
> DCs up and running quickly because you don't have to worry about hardware
and
> doing AD recovery.
>
> Over the course of the 5 years now that company has been running Windows
2000,
> we never restored a single object. If something was deleted that shouldn't
have
> been, tough, recreate it. If a DC's database went bad due to disk or
motherboard
> failure the DC was deleted from AD and rebuilt from the ground up and
> repromoted. We ran with three EA's that were also the DA's (obviously).
> Delegations to other admins with minimal, user provisioning was handled by
a
> provisioning system which did a ton to prevent issues in the directory. At
the
> point you start giving out FC to any objects to non-DAs, you have started
to
> lose control of the directory.
>
>    joe
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> jfprieur@gmail.com wrote:
> > Hello,
> >
> > I just got asked to provide a 'worst-case' report for our enterprise
> > active directory.
> >
> > The architecture chosen was a single forest/multiple domain model. At
> > that time, that it was MS was recommending for enterprises. Since then
> > that recommendation has changed, but this is already in production and
> > migration has started. Win2K servers are the current infrastructure
> > servers (DC', FSMO's, etc.) Eventually we are talking 50000+
> > workstations in this forest.
> >
> > For reasons that I won't get into here, there are/will be 2000+ domain
> > controllers spread across the multiple domains, spread all over the
> > world.
> >
> > Reading the best practices recommendations for AD recovery published by
> > Microsoft, it lists in its recovery steps that you must switch off
> > every DC. You can well see that this would be a significant impact,
> > with business continuity implications.
> >
> > Now there are mitigating factors: Only 3 enterprise admins, very
> > strenuous change control and testing for the schema (Microsoft called
> > it one of the best implementations it has seen). MS stated that a full
> > forest meltdown has only occured three times, all related to poor
> > planning and implementation.
> >
> > I guess what I am asking is, do you see anything in Windows 2003 that
> > would mitigate this? A migration is planned but not in the near future.
> > Is there anything (high-level) that we can do right now to reduce the
> > (miniscule) risk even further? A cost-benefit analysis was performed on
> > migrating to a multiple forest model, but this would cost more than the
> > current NT-> 2000/XP migration that we are going through right  now.
> >
> > I know my questions are pretty broad, just a good discussion on this
> > subject would be very helpful.
> >
> > Thanks,
> >

Relevant Pages

  • Re: Active Directory in a huge single forest
    ... I would be a bit concerned with the number of DCs. ... separate forest for Exchange. ... Since then> that recommendation has changed, but this is already in production and> migration has started. ... Win2K servers are the current infrastructure> servers Eventually we are talking 50000+> workstations in this forest. ...
    (microsoft.public.win2000.active_directory)
  • RE: Removing Child Domain
    ... You need to unjoin any workstations from that child domain or move them to another domain or they will be orphaned when the child disappears. ... You need to ensure you are not removing the first domain in the forest. ... If any of the DCs being removed are GCs, check to make sure that there are other GCs up otherwise you will find yourself unable to login because the only GCwere killed. ... Do a basic health check. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Removing Child Domain
    ... orphaned when the child disappears. ... domain in the forest (sometimes called the forest root ... whatever are uninstalled from the DCs ... >7) Do a check for server objects in the configuration ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory in a huge single forest
    ... It is just that some Business Continuity ... There is at least one single domain production forest on ... SiteLinkBridgeas islands of transitive replication, ... > is to> use some virtual servers to maintain some virtual DCs for each ...
    (microsoft.public.win2000.active_directory)
Loading