Re: AD domain structure - a bit concerned now!

You have had some good replies already.
One option to consider is:
- Root
- EUR, USA, APAC
- Each country in OU of continent by default, or in separate child domain if
justified. You can use OU's for countries with less skilled IT resource, and
child domains for more independent countries.
A lot of it comes down to politics. If you have a hierarchical structure
covering these territories, you can impose an efficient shared domain. If
you have a collegiate, cooperative style you can work with a shared domain.
If you have mistrustful uncooperative management across territories you are
safer to adopt separate child domains. Only if you have radically different
technical demands do you Need separate country child domains. My opinion
only, of course.
Anthony
www.airdesk.co.uk




"Matthew M (UK)" <mattee76@xxxxxxxxxxxxxxxx> wrote in message
news:032040C1-4BB1-44B4-BB5D-228894437EE0@xxxxxxxxxxxxxxxx
Hi,

Im really just looking at getting an idea of what other people may have
done when in our situation? Your ideas would be appreciated.

We currently have the following new windows 2003 domain structure (root
with sub domains for each country), we also have another forest where the
bulk of our UK users (1500 users) exist, the new forest has about 250
users (expanding quickly). We will be moving all the resources from the
current forest to a subdomain in the new forest this year sometime.

ALL the information below relates to the new forest.

New forest looks like:

domain.local (root domain)
eucountry1.domain.local (EU Country 1 - currently 0 users, going to
1500)
eucountry2.domain.local (EU Country 2 - currently 50 users, going to
150)
eucountry3.domain.local (EU Country 3 - not deployed yet, start with 20
users, going to 250)
apaccountry1.domain.local (APAC country 1 - currently 200 users - staying
static)
qa.domain.local (Domain for QA environment)

The original idea was to have a subdomain for each country, the original
reasons for this being:

1. Isolate replication - most of these sites have pretty limited bandwidth

2. Localised administration of domains - i know that we could do this via
OUs, but we have far reaching sites with local admins, who by their nature
want domain admin access. We have some level of trust between the admins,
so are not overly concerned with any elevation of privaleges or them doing
things outside of their own domain.

3. Individual account policies - to be honest this was possibly the main
reason for multiple domains, and was a prereq put down by our security
department. Hmm, how things change, now this is not a major concern, and
we can have similar accout policies across the board.

My concern now is that it may have been over designed, with hindsight, i
would have preferred to have a single subdomain for each continent, then
we could have OUs for countries, etc etc.

The problem we have now is how do we move forward? I would like to rename
our local new subdomain and then move the other EU domain resources into
this.

We have the following already placed into the new forest....

eucountry1.domain.local (EU Country 1 - currently 0 users, going to
1500)
- Localised admins (this would be our team)
- Exchange 2003 installed - being used for IIFP and InterOrg replication.

eucountry2.domain.local (EU Country 2 - currently 50 users, going to
150)
- No local admins, delegated access to desktop guys
- No exchange, they are using the other forest exchange resources.
- Users and computer accounts have been created migrated.

eucountry3.domain.local (EU Country 3 - not deployed yet, start with 20
users, going to 250)
- Localised admins, full local management of all resources
- As meantioned this has not been created, but i am in two minds wether we
continue with the agreed apon design, or change the design midway.

apaccountry1.domain.local (APAC country 1 - currently 200 users -
expecting rapid growth)
- Localised admins
- Local exchange/file etc etc - full local management

qa.domain.local (Domain for QA environment)

Thanks
Matthew


.

Relevant Pages

  • Re: AD domain structure - a bit concerned now!
    ... My concern is that we may get quite a few sites which while they will have between 50-100 people, they will not have any localised server admins, at most a couple of desktop guys. ... We currently have the following new windows 2003 domain structure (root with sub domains for each country), we also have another forest where the bulk of our UK users exist, the new forest has about 250 users. ... The original idea was to have a subdomain for each country, the original reasons for this being: ...
    (microsoft.public.windows.server.active_directory)
  • RE: Tracking down a vandalizer whos faking his IP
    ... >Someone is vandalizing my friend's website. ... >country and not much else information is provided. ... I have known very few admins who will do any more than grumble about the ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • Re: Question about Domain Structure?
    ... If you don't have the need for complete separate forests, for security boundary reason, then create a single forest domain and separate the offices within your OU structure, own OU for each country, just keep it simple. ... Configure AD sites and services according to your physical structure and use delegate control for the remote office admin, so they don;t have to be domain admin. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Anyone got a large-scale OS map of Darlington area?
    ... People do wander just about anywhere here but it's very rugged country. ... I wouldn't like to get lost in the ... The whole country looks like it's really just one vast forest, ... a hell of a long walk from the nearest town! ...
    (uk.local.cumbria)
  • Re: Anyone got a large-scale OS map of Darlington area?
    ... People do wander just about anywhere here but it's very rugged country. ... I wouldn't like to get lost in the ... I'd love to explore the Norwegian forests. ... The whole country looks like it's really just one vast forest, ...
    (uk.local.cumbria)
Loading