none
Child Domain RRS feed

  • Question

  • Hello I need your help.
    I am new with the dns and active directory. I am currently working in a Retail Company. This company has 50 or more stores with different locations and their current setup now is every store has a DNS and Active Directory. But the owner wants to change that because of license issues. We have 4 areas here and every area has 8-10 stores or sites. My plan is to have a child domain per area for example, my main domain is example.local then i will create a child domain like area1.example.local , area2.example.local

    is this a good setup for our situation? and what are the advantages of having a child domain? Thank you so much^_^

    Friday, August 19, 2016 7:20 AM

Answers

  • Hi Jared,

    That really depends on the following:

    • requirements - why have they deployed 50 Domains?
    • Size of the domain partition.
    • Functional Level of the Domain and Forest. (Which OS runs on Domain Controllers)
    • Network Connection and Topology, also ask yourself how reliable your connections are.
    • What kind of clients, servers and applications do you have?

    Example 1:

    • Reliable Network Connections in a Hub & Spoke Topology with Site2Site VPN
    • No Applications and Servers in each store (central Servers and Applications)
    • ~ 20 Client computers running at least Windows Vista
    • Unless you are not running Server 2003 I'd go for a Single-Forest / Single-Domain with a central DC Deployment and ADDS integrated DNS.

    Example 2:

    • Non reliable Network Connections and no persistent connections to HQ with very, very small bandwith.
    • Servers and Applications are located in the Branches and on the HQ Site
    • ~ 100 and more Clients in each Branch
    • If there is no connection to the HQ and other stores, all local Services must be available.
    • In this Scenario it might be a good Idea to have a DC in each (or at least in some) Branch Locations and perhaps a Child-Domain for each Branch. On the other hand you would not realy save license costs.

    Both exmaples are very "extreme" from a Design perspective.

    Advantages having a child domain are nowadays (Server 2008 and above) are

    • Less replication Traffic in between the Domains as only the relevant zones will be replicated in the whole forest. Not the domain zone which holds the majority of all data. This applies also to the Sysvol Replication.
    • If you have delegation requirements on the level of the Domain Administrators which requires Service Isolation, you can achieve this with such a design.

    However, this is just a broad and quick overview what came to my mind, as I don't know the details concerning your company's requirements.

    Here are some Information concerning your questions:

    https://msdn.microsoft.com/en-us/library/bb727032.aspx?f=255&MSPPError=-2147217396

    https://msdn.microsoft.com/en-us/library/bb727085.aspx

    If you have any questions, please provide more Information.


    best regards

    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, August 19, 2016 7:53 AM
    • Proposed as answer by Burak Uğur Friday, August 19, 2016 8:14 AM
    • Marked as answer by Leo HanModerator Thursday, September 8, 2016 5:29 AM
    Friday, August 19, 2016 7:52 AM
  • Hello,

    Here is a good guide for you, that can rpovide you detailed information on your question: https://msdn.microsoft.com/en-us/library/bb727085.aspx

    In short, having separate child domains gives you the following benefits:

    • Reduces replication traffic between locations than belong to different domains
    • Allows security isolation in terms of having separate domain administration teams

    It is up to you to evaluate if these benefits are worth it (maybe if you have the single global IT team managing all the domains and good WAN connections in all sites you should use the sigle child domain approach instead of multiple ones).

    By the way, I assume that if you plan to have child domains you have already planned where your forest root domain will be placed and how it will be managed (the example.local one).

    Regards


    • Edited by Avendil Friday, August 19, 2016 8:00 AM
    • Proposed as answer by Burak Uğur Friday, August 19, 2016 8:14 AM
    • Marked as answer by Leo HanModerator Thursday, September 8, 2016 5:29 AM
    Friday, August 19, 2016 7:59 AM

All replies

  • Hi Jared,

    That really depends on the following:

    • requirements - why have they deployed 50 Domains?
    • Size of the domain partition.
    • Functional Level of the Domain and Forest. (Which OS runs on Domain Controllers)
    • Network Connection and Topology, also ask yourself how reliable your connections are.
    • What kind of clients, servers and applications do you have?

    Example 1:

    • Reliable Network Connections in a Hub & Spoke Topology with Site2Site VPN
    • No Applications and Servers in each store (central Servers and Applications)
    • ~ 20 Client computers running at least Windows Vista
    • Unless you are not running Server 2003 I'd go for a Single-Forest / Single-Domain with a central DC Deployment and ADDS integrated DNS.

    Example 2:

    • Non reliable Network Connections and no persistent connections to HQ with very, very small bandwith.
    • Servers and Applications are located in the Branches and on the HQ Site
    • ~ 100 and more Clients in each Branch
    • If there is no connection to the HQ and other stores, all local Services must be available.
    • In this Scenario it might be a good Idea to have a DC in each (or at least in some) Branch Locations and perhaps a Child-Domain for each Branch. On the other hand you would not realy save license costs.

    Both exmaples are very "extreme" from a Design perspective.

    Advantages having a child domain are nowadays (Server 2008 and above) are

    • Less replication Traffic in between the Domains as only the relevant zones will be replicated in the whole forest. Not the domain zone which holds the majority of all data. This applies also to the Sysvol Replication.
    • If you have delegation requirements on the level of the Domain Administrators which requires Service Isolation, you can achieve this with such a design.

    However, this is just a broad and quick overview what came to my mind, as I don't know the details concerning your company's requirements.

    Here are some Information concerning your questions:

    https://msdn.microsoft.com/en-us/library/bb727032.aspx?f=255&MSPPError=-2147217396

    https://msdn.microsoft.com/en-us/library/bb727085.aspx

    If you have any questions, please provide more Information.


    best regards

    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, August 19, 2016 7:53 AM
    • Proposed as answer by Burak Uğur Friday, August 19, 2016 8:14 AM
    • Marked as answer by Leo HanModerator Thursday, September 8, 2016 5:29 AM
    Friday, August 19, 2016 7:52 AM
  • Hello,

    Here is a good guide for you, that can rpovide you detailed information on your question: https://msdn.microsoft.com/en-us/library/bb727085.aspx

    In short, having separate child domains gives you the following benefits:

    • Reduces replication traffic between locations than belong to different domains
    • Allows security isolation in terms of having separate domain administration teams

    It is up to you to evaluate if these benefits are worth it (maybe if you have the single global IT team managing all the domains and good WAN connections in all sites you should use the sigle child domain approach instead of multiple ones).

    By the way, I assume that if you plan to have child domains you have already planned where your forest root domain will be placed and how it will be managed (the example.local one).

    Regards


    • Edited by Avendil Friday, August 19, 2016 8:00 AM
    • Proposed as answer by Burak Uğur Friday, August 19, 2016 8:14 AM
    • Marked as answer by Leo HanModerator Thursday, September 8, 2016 5:29 AM
    Friday, August 19, 2016 7:59 AM
  • Before I came in this company that was the setup because they were using a crack windows server and the purpose of this server is just a dns and active directory and file server, but now that the microsoft license issues came, they now remove their server in every store so they don't have a domain now. That's why I am planning to create a child domain. and most of the store is just using a small bandwith. 
    Friday, August 19, 2016 8:54 AM
  • If the branches are connected by a network link, you could  could deploy the single-forest/single-domain approach. But as said: it depends on your applications and availability requirements. No body can help you wirhout knowing your businesses requirements.

    Speacking from the licensing site.

    It's imho not the windows server which is the big cost factor. It's the user CALs and the Windows OS License for Client Computers. In your case they should at least be Professional editions.

    Furthermore, from what I tend to interpret in your Situation, you should clearly focus on getting your license situation compliant!!!

    • Check lincese for your client computers
    • Check User CALs (or even device CALs in your scenario)
    • Check Office License
    • Check Server OS licenses and requirements.
    • Furthermore think about a ELA with SA which enables you to upgrade to newer product versions. It takes apprpx 5 Years to reach the Capex for this, but with the Inovation cycles today, this is nearly a must.

    I hope that helps.


    best regards Switch MCITP Enterprise Administrator MCSA Windows Server 2012 MCTS Windows 7 Configuration Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, August 19, 2016 1:33 PM
  • Hello ^_^

    I'm also considering to have Single forest only then creating an OU every store. My concern is that the smallest bandwitdh of a store is 128kbps and it only has 2-3 computers only. Is it advisable or this setup will encounter a problem? thanks

    Saturday, August 20, 2016 7:58 AM
  • Hi Jared,

    An OU for each Store sound completely right.

    I would create a Top-Level OU for all Bracnhes. In this OU I would create an OU for each branch containing an OU for Users and Computers. Therefore you are able to control settings by GPO for all OUs and on a Branch and functional base (User / Computers). If all Branches have the same Configuration applied, you could create one OU for all Users and one for all Computers.

    An OU enables you:

    • to achieve delegated administration / administration authonomy
    • Control GPO appliance
    • Data authonomy 

    From perspective of ADDS please also consider the following items: Group Policy and Network Bandwidth

    Also keep in mind, that your client design should be adapted for sites with low bandwith this includes but is not limited to:

    • Roaming User Profiles
    • Central Shares and Applications
    • Software Installation
    • Security Updates
    • Group Policy Processing

    For Authentication and Authorization this should be no issue.


    best regards
    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Sunday, August 21, 2016 9:07 AM
    Sunday, August 21, 2016 9:06 AM
  • Hi Switch 1210,

    By the way the only purpose of this is just for login authentication and some group policy only. But for software installation we dont do any software installation via active directory. In every store they have their own file server where inside of this file server is the installers for their applications. So even the smallest bandwidth with only 128kbs has no issue in authentication? for example i created an OU in the main domain then they will get their domain account from main server?

    Thanks

    Monday, August 22, 2016 3:17 AM
  • Hi,

    128kbs will do fine in terms of authentication. However, if you have a large number of GPOs (not necessarily installing software with them) and/or some complex login scripts assigned through Active Directory, you may experience some issues.

    /Bulat

    Monday, August 22, 2016 7:39 AM
  • Hi Jared,

    Please keep in mind, that if the WAN Link breaks, Client Computer are unable to connect to the file-Server on Site.


    best regards

    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS&"; with no warranties, and confers no rights.


    • Edited by Switch1210 Monday, August 22, 2016 8:29 AM
    Monday, August 22, 2016 8:28 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 23, 2016 8:17 AM
  • Hi

    For now we're not doing a software installation via AD. And for now we have one policy in AD and that is just a wallpaper. So 128kbps is not an issue when it comes to authentication only? 

    thanks

    Friday, August 26, 2016 6:47 AM
  • Hi,

    >>My concern is that the smallest bandwitdh of a store is 128kbps and it only has 2-3 computers only.And for now we have one policy in AD and that is just a wallpaper.

    In your case,that is enough.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 30, 2016 2:48 AM
  • 1. How do you connect the stores to the main office? - Via VPN
    2. Do you have server on the stores, or will they talk directly to the central servers? - They have their own server in every store, the only purpose of AD is for authentication.
    3. Total number of Stores and total number of users? - more than 50 stores and every store have a 2-3 users. So for all stores and main store is around 700 users. 


    Thanks

    This was ask by someone in other forum and that is also my answer.

    So "Single domain/forest" is good for our environment or in our case? 

    Thanks

    Thursday, September 1, 2016 2:11 AM
  • Hi,

    >>So "Single domain/forest" is good for our environment or in our case? 

    This is really an ADDS question,I suggest you to post on ADDS forum,and there are more professional experts could provide further assistants:

    https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?forum=winserverDS

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Friday, September 2, 2016 3:28 AM