Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Single forest, one domain, multiple sub-domains 2

Status
Not open for further replies.
hlauwers

hlauwers

Technical User
Aug 20, 2003
58
BE
All DC's are 2003 server
Model :Single forest, one domain, multiple sub-domains

We are planning on switchting to this model.
Who know or has experience in these questions ?

1) Can you deploy group policy at the domain level, or do you have to manually deploy them on all sub-domains?

2) How easy can you share files and printers between sub-domains? (in comparison to the one-domain model?)

Thank you guys !

Hans
 
Sort by date Sort by votes
Curious why do you feel you need the sub domains?

How many users do you have? How many sites do you have?

have you considered using OUs instead of domains? if you have under 250 users, you wil probably find that the OU model is the best thing for you. You can delegate rights at the OU level if you have people in departments that need admin rights over their users, plus your Group Policy management would be a lot simpler.



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Hi Mark,

there are 8 European Plants, each with + 100 users.
I considered the one domain model with delegation through OU's, but I'm afraid the active direct. traffic will burn out our WAN connections (sometimes only 128K)

I know my questions are easy in the one domain model. But I would like to know how easy it is done in the multiple-sub-domain level.

Hope you can help me,

thank you !

Hans


Hans
 
Upvote 0 Downvote
AD replication with Windows 2003 is minimal since only changed objects need to be replicated. Do you have a lot of user turnover in your company?

I would think you could probably still get away with the single domain model. I used to support Prudential Securities and they have 65,000 users on a single domain model with lots of sites.

You can set the times for replication between your sites.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
baring in mine that i'm not a msoftie but i would imagine that you would be ok with the ou model as long the server on each site has a gc on it and either a dns server or an extented TTL set then it would be ok

obviously with the single domain the infrastructure fsmo is redundunt anyway and you would be better to create sites to mirroring you physical representation

again i'm only speculating but with the child domains - you dns is certainly more complex nad you will have to consider placement of the gc's more carefully as it cant go on the infrastructure one
 
Upvote 0 Downvote
Mark,

we have 8 offices (100 people/office) (8 different countries)
Connected with 128 or 256k WAN lines (MCI)
All Class C subnets

1.
How easy is it to delete a "office" fromt the one domain model ?
We just have to delete the two DC's and the connected sites?

2.
In the one domain model, I know you can delegate tasks. (users, computers, printers ..)

But is it also possible to let a user create printers, or let a user install programs on a server? (maybe local admin rights?)

I hope you have experience in these matters because my knowledge is pure theoretically.

thank you !!

Hans
 
Upvote 0 Downvote
1. You remove the remote DC's via DCPROMO then remove the site and then the OU for that office (if that's how you organised your AD).

2. Yes you can give out specific rights to specific users on specific servers etc.

As others have advised I'd go for the single domain model if possible. Group policy applies per domain, one of the main reasons to create child domains would be if you wanted differnet domain level group policies (such as password rules). You haven't mentioned security, bear in mind a domain is not a security boundary, only a forest is. If you don't trust admins at remote sites then you really need multiple forests. A domain admin in a child domain can gain enterprise admin rights (i.e. forest-wide domain admin) in about 5 seconds through a simple elavation of privilege hack.
 
Upvote 0 Downvote
Just to add one thing to NickFerrar's comment. One of the great things about OUs is that you can delegate rights to them, without having to make someone an Admin. So in the case where you don't trust (or want to) someone that really doesn't need to be a domain admin but instead just needs to be able to make users and add workstations, then you are best served with the OU model.

When delegating use the CUSTOM menu choice and you can get very granular on what you allow people to do.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
373
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
136
ADB100
ADB100
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
145
technome
technome
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
336
fredmartinmaine
fredmartinmaine
froggy8
  • Locked
  • Question
cant add my windows 7 pc to my domain 1
Replies
3
Views
123
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top