Re: domain architecture
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Thu, 2 Feb 2006 21:39:31 -0500
Comments inline.
<param@xxxxxxxxxxxxxxxx> wrote in message
news:Oq6q2gAKGHA.216@xxxxxxxxxxxxxxxxxxxxxxx
Al, I appreciate your response. A few points:-There are ways to find out for sure if that's necessary, but I'm inclined to
BUSINESS GOALS:-
1. Improve performance of network and internet related activities (We are
currently running SBS 2003) and it appears that the 1 server is becoming
the bottleneck since ISA runs on it as well.
believe you. Be careful as you provision new devices that you take into
account the purpose and capacity. Many db applications are disk dependent
so it pays to pay attention to the hardware.
2. Improve reliability and availability of our Exchange server - itNothing we've talked about so far addresses this. Can I assume you have a
currently is on the 1 SBS box at our office. If the environment goes down,
our entire email goes down.
way to address this? If not, consider what your requirements are
specifically around this goal so you can justify the solution. What I mean
by that is that you may find that email is important enough to warrant
multiple instances on multiple servers with additional firewalls etc. It
could be that you can afford to be without mail for x number of hours and
just need a cluster and can withstand the loss of a site. Or maybe even
locate it in your datacenter where you have your biggest investment.
3. We are adding a 2nd office building about 15-20 miles away. How would IAdd the network and have at it, at its simplest. Depending on how many user
connect and bring that office building into the same network/domain etc.
workstations will be used concurrently there, or if requirements warrant
usage without WAN connectivity, you may want to put a DC/GC in that building
with name resolution included (usage of Active Directory DNS is
recommended). If you go with the single domain architecture it would be as
easy as installing the physical components and then installing Active
Directory on a domain controller in that site. However, if there are no
server-based resources in that physical location, it might make more sense
to put the DC/GC in a central site (central in terms of where the network
connection terminates if this is point to point).
4. The pace we are headed, we will soon outgrow the SBS 75 user limit.
Need to plan a migration now.
Fully agree.
5. We have a data center hosting our production websites/systems andLet me turn that question: What would you like to be able to do? AD is an
databases. We have a point to point WAN running to them. How can we
leverage that?
authentication and NOS system. Does the same implementation that you use for
internal usage need to do anything with your websites? Or would it make
more sense to leave them totally separate? This website hosting is your
moneymaker is it not? A best practice from a security perspective would be
to leave them separate, if that helps.
6. The single domain forrest that exists in the data center network isIt does. It's a best practice to use a single forest/single domain
just more for uniformity and ease of administration of the server farm.
Does it make sense to architect a solution where we have 1 forrest with
multiple domains OR 1 forrest with 1 domain company wide across all 3
locations (corporate, new building & data center) ? It would provide
easier administration as well.. single user database maintenance etc.
architecture where possible. This allows for the simplest least admin
intensive architecture. Tends to be more stable as well.
Does that help? If you need more information suggestions, fell free to drop
a note offline. You'll just need to clean up the mail address tied to this
message.
Al
I hope that provides some clarity.
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:eBEoKHhJGHA.2628@xxxxxxxxxxxxxxxxxxxxxxx
What are your goals when done? This sounds like what you've determined,
but there's not perspective of the goals.
That said, I'll do something I normally wouldn't when paid for the
advice:
1. Is this the optimal way to set it up? - Not enough information to
answer that question. Sorry, but you'll have to provide the goals which
make all the difference between good designs and bad designs if there is
such a thing.
2. If we lose the server at our corporate office will the other networks
still be able to authenticate and carry on normal operations?
-The answer to that is "it depends". It depends on what you mean that it
will be a sub-doman. Is it going to be a sub-domain as in DNS sub
domain? Or as a child of the forest? If child of the forest, are you
planning on reinstalling then?
3. What about security? The stuff at our data center hosts mission
critical
databases etc. Is there any down side from a security perspective OR can
I
lock it down so that only specific users can access that domain?
-It depends gets a lot of work here. :) However, "it depends" on the
answers to those above. I will say this though, a domain is not a
security boundary when it comes to Active Directory design. The forest
is considered the security boundary. However, without knowledge of your
goals, business objectives and policies, it's really hard to tell if this
is something you should do or not. I've seen it done both ways with
"success" as defined by that company. I just can't tell if this is
something that would be a success for you or not.
It might be that you just want separate forests for each site. The
tradeoff is that you would then have higher administration effort to
expend. On the other hand, if you have it all in the same forest, it
might provide the level of security that you need and the ease of
management you want. It might also be that you only want one domain
company wide.
In any case, if you deploy a domain controller and name resolution to
each LAN connected site (and it's the domain needed for auth by the
clients that need it) then you should be able to authenticate and find
resources while the WAN is unavailable. There are a few processes that
won't be available until the FSMOs come back if you go with the single
domain model or the root/child model. If all self-contained forests then
it's as isolated as your company is from mine today.
Does that help?
<param@xxxxxxxxxxxxxxxx> wrote in message
news:OQmMbWeJGHA.916@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,
Today we have 2 seperate networks each having their own domains 1).
mycompany.local (mycompany) 2). datacenter.mycompany.local
(mycompanydatacenter)
We are in the process of getting a WAN point to point between the 2
locations and are considering implementing a forrest/tree structure as
outlined below:-
1. We are planning on setting up mycompany.local at our corporate office
which would be the root of the forrest.
2. The domain at the data center would be datacenter.mycompany.local,
but this time be a sub-domain of the forrest.
3. We are adding a 3rd location and call it operations.lazardgroup.local
A few questions:-
1. Is this the optimal way to set it up?
2. If we lose the server at our corporate office will the other networks
still be able to authenticate and carry on normal operations?
3. What about security? The stuff at our data center hosts mission
critical databases etc. Is there any down side from a security
perspective OR can I lock it down so that only specific users can access
that domain?
TIA!
.
- References:
- Re: domain architecture
- From: param
- Re: domain architecture
- Prev by Date: Re: Problems with AdminCount bit, inheiratance, and email
- Next by Date: Re: Universal Group Problem
- Previous by thread: Re: domain architecture
- Next by thread: Re: Domain Controllers
- Index(es):
Relevant Pages
|
