Forest - Domain question

[hlauwers]

I'm curious if someone here is in a situation where your domain is spread over different locations/countries.

For the moment my company has 8 European locations, each with their own domain and no trusts, connected by a WAN.

We are looking in to the possibility to use
A) one forest, one domain (and work with sites)
B) on forest, multiple sub-domains (with trusts)

All DC will be 2003 server.

Could someone answer these quesions ? :

1) If you work with the multiple domain model, do you need additional DC's for the top domain ? Or is it possible to run this on DC's of a sub-domain.

2) If you work with the multiple domain model, is it easy for the user from sub-domainA to go to sub-domainB and use printers and networkdrives? Or do you need to use the single domain model for this task?

3) What model do you guys recommend ?

4) Is there an estimation how much act. dir. traffic will occur in both models?

I hope someone can help me,

tnx guys

Hans

 

[WillShakespeare]

Well, I can't speak from the multiple domain idea, but we have 4 sites, San Francisco, Brussels, Hong Kong, and London. We have DCs in each location, 2 of which are also Exchange servers because there are few people there. Our situation is One domain world wide, One Forest, and it works fine. We have different sub addressing on our internal IPs, and we plan on limiting our Brussels, HK, London, and SF OUs to particular IPs (currently all IPs can be accessed if members of domain - This has the propblem that when accessing AD for Users and Domains, sometimes the GC server it uses is in, say HK, when I am in London, and it's painfully slow until I change to the local server).
Otherwise all works fantastic.

Because we only have 100 people world wide, also, and 16 servers, this means this model is ideal for us. Easy to implement.

Actually, we also now have been bought by a bigger company in Tacoma, Washington, USA. We have added a trust to their domain, and now their users can log in from any workstation in our domain, and it works fine (if a little slow, when they are visting us in London!). Their domain is much bigger and more offices worldwide, but access is not restricted.

hth,

Will

 

[hlauwers]

Hi Will,

do you use "sites" for every location so the client knows to which DC he has to authenticate?

Is it a 2003 domain ? For the moment all our domains are 2000. I think we have to upgrade one domain to 2003, and then migrate the rest ? Is this correct ?

Do you centrally deploy DHCP (over the WAN) or is this done locally at each location?

What kind of problems have you yet encountered? (act. dir. replication, GC problems , .. )

I assume you have delegated responsibilities to the local admins. (user, pc, printer and ou management) Is it also possbile to deletage advanced management tasks (DNS, WINS, DCHP .. etc) Or can this only be done by the enterprise admin.

Sorry for all the questions but it's nice to ask someone who is in the situation.

Tnx alot

Hans

 

[NortonES2]

We have 3 locations covered by one Windows 2003 domain, with 2Mb connections between them. Each site has at least two DC's (each DC is also a GC) and one exchange server. They are configured in AD as separate sites with local DNS and DHCP servers.

-------------------------------

If it doesn't leak oil it must be empty!!

 

[WillShakespeare]

Hi Hans,

Actually, at the moment we don’t use sites, which is why we have the trouble with AD Users and Domains. Authentication seems to happen locally, and DHCP and DNS is installed at each location on its own GC and DC. We plan to use sites when we get some time to do so, to help this problem, but apart from that no problems at all. It’s like one big LAN!

We had to do some domain prep when we upgraded to 2003, but this isn’t a lengthy process. There are tools on the Windows 2003 CD that do this.

If you have multiple domains existing, then likely you can upgrade one at a time… not sure as we never had multiple domains.

As far as any other problems, such as replication, GC, etc., we have had none apart from the annoying problem where when opening the dsa, it connects to a DC in SF, or in HK, even though the London DC is available! Once we have sites implemented, this should go away (at least we hope!).

You can delegate the admin tasks you mentioned in our scenario, but we’ve only ever had to use Domain Admins, because we are only one domain. You might seek more info from others if Ent Admin is needed across domains. It might be that Ent Admins group is only there for aesthetics… i.e. the “proper” way to use groups is to… yadda, yadda…

Also, we only have 2 IT staff, myself and my boss, and we administer all servers world-wide from London. Only when we install a new server, or some such, do we need to travel temporarily to the other sites. Cheaper than having full-time staff at each location. We do subscribe in SF (our 2nd biggest office) top have a consultant come in one day a week, however, and so many admin tasks that need someone close to help, are done by him on that day. All the rest we do either via VNC or RDP, or I write scripts, which is fun when I get time! (My boss wants scripts for everything, but seldom gives me time to experiment to get better at using them!!) For example, I have a script which monitors every server world-wide for disk-space. If the disk gets below 5%, the script emails a Server Admin distribution group which currently contains us two, but we can add other admin as we grow. It works great!

Will

 

[hlauwers]

Will & Norton,

thank you for your vauluable input !

If you guys should know someone who works with the multiple subdomains .. please let him visit this topic

Bye,

Hans