none
domain structure

    Question

  • guys,

    the forest/tree/domain/site planning isnt something i am good at. So i would like to ask some question:

    lets say my tree is called mycompany.com and my mainoffice is in London. I am opening a new branchoffice in new York and i need to create a child domain for that branchoffice called America.mycompany.com

    What i dont find logical is that my mainoffice is called mycompany and  my branchoffice is called mycompany.com. What i would expect is a tree called mycompany.com and my offices are the child domains called America.mycompany.com, Europe.mycompania.com or Asia.mycompany.com. Anyone who can explain this to me?


    Also, about using sites,my branchoffice are a child domain in the forest and i can divide them into sites when i am using more that one phyisical location(lets say one branchoffices in Europe are in London,Brussels,Paris,Berlin) am i correct? 

    And whats with the zones, i will create i the europe tree for every branchoffice a own zone?

    lets specify the example:

    I created my first DC in a new forest. DC1 in forest mycompany.com with a class c networkaddres(192.168.50.1, the server is residing in London).  I am adding a second dc for that forest but with a different class c subnet. lets call it dc1 again with ip 192.168.100.1. I want to keep the second dc1 in its own site (paris). I also want to put those 2 dc one in 1 domain, named europe.

    next, i want to create a domain for the northamerican branch offices. Lets install another dc1 with a class-b addres and residing in New York. I think i need to create a new tree for this one and not a child domain, am i correct?

    And how should i configure the dns?
    • Edited by enlil Sunday, March 26, 2017 4:10 PM
    Sunday, March 26, 2017 2:00 PM

All replies

  • Hi

     You can start from here;

    Planning Forest Root Domain Controller Placement

    https://technet.microsoft.com/en-us/library/cc753902(v=ws.10).aspx

    Planning Regional Domain Controller Placement

    https://technet.microsoft.com/en-us/library/cc731569(v=ws.10).aspx

    For dns structure;

    https://blogs.technet.microsoft.com/askds/2010/08/02/new-dns-and-ad-ds-bpas-released-or-the-most-accurate-list-of-dns-recommendations-you-will-ever-find-from-microsoft/

    https://blogs.technet.microsoft.com/askds/2010/07/17/friday-mail-sack-saturday-edition/

    Otherhand you should configure a useful network topology first then start to configure forest.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Sunday, March 26, 2017 6:44 PM
  • Hi,
    The first rule of Active Directory design is keep it simple. Active Directory is very flexible. So flexible that you can design an Active Directory forest that is complex beyond imagination. With the only real restriction of one forest per namespace, you can deploy as many domains, sites, and OUs as you seem necessary. However, as a general rule, you want to keep the number of domains to a minimum whenever possible. If you need department level divisions on your network that reflect the organization of your business, then use OUs instead. OUs are much more flexible and easier overall to manage than domains.
    In addition, if you design multiple domains in your AD environment, please make sure that each domain has at least 2 DCs working in it.
    Here are some articles regarding best practice domain structure:
    Best Practice Active Directory Design for Managing Windows Networks
    https://msdn.microsoft.com/en-us/library/bb727085.aspx
    https://windorks.wordpress.com/2014/05/15/active-directory-logical-design/
    http://armeq.wordpress.com/2010/08/27/10-tips-for-effective-active-directory-design/
    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 27, 2017 2:39 AM
    Moderator
  • many thanks for the reply. i have been reading a lot but all the blogs didnt explain my specific questions. That why i posted them here hoping someone knows the answers
    Monday, March 27, 2017 6:29 AM
  • Hi,
    Regarding DNS configuration for the multiple trees in a single forest, you can use AD-integrated zone and allow forest wide replication or configure stub zone or conditional forwarder to provide dns name resolution. You can also use secondary zone for setting dns in other domain. Each domain should point itself to local dns server and alternate dns server in their own domain local dns server. The DNS server in the domain should be configured with the forwarder or conditional forwarder or stub zone for name resolution. AD-Integrated zone with replication scope set to forest wide should be fine. https://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx
    If possible, you could also post us your design topology of AD environment, it will be clearer than words and more helpful to set DNS configuration.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 28, 2017 2:07 AM
    Moderator
  • Hi

    What i dont find logical is that my mainoffice is called mycompany and  my branchoffice is called mycompany.com. What i would expect is a tree called mycompany.com and my offices are the child domains called America.mycompany.com, Europe.mycompania.com or Asia.mycompany.com. Anyone who can explain this to me?>>>

    So you can configure a root forest then configure child domains on geological locations,advantages fast logon time,apply seperate GPO's for each location,etc..

    Also, about using sites,my branchoffice are a child domain in the forest and i can divide them into sites when i am using more that one phyisical location(lets say one branchoffices in Europe are in London,Brussels,Paris,Berlin) am i correct?>>>>

    Yes,you can configure other Domain controllers as aditional domain domain on different location in same child domain.Just you should configure them also with AD integrated dns,GC role for redundancy.

    And whats with the zones, i will create i the europe tree for every branchoffice a own zone?>>>

    Yes.

    next, i want to create a domain for the northamerican branch offices. Lets install another dc1 with a class-b addres and residing in New York. I think i need to create a new tree for this one and not a child domain, am i correct? >>>

    You can configure hostname with DC1 on child domains.Point is you should configure port accessibilty between these different subnets to access.

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, March 28, 2017 7:12 AM
  • Hallo Burak,

    many thanks for the info.

    So the root domain can be created on my first dc(location londonn) and also on the first dc i can create the child domains? Also, when creating the first DC in my child domain America.mycompany.com, i need to install that first dc as a new domain to an existing forest? If so, i should chose the tree domain option? And last, do the dnsservers in the branchoffices london and new york(both in their own tree if i am correct) need to communicate with eachother? if so, how? If not, why? 

    Tuesday, March 28, 2017 4:52 PM
  • Any DC can only host one domain. If you have two domains, you need a minimum of two DC's (physical or virtual). And of course, it is recommended that every domain have at least two DC's for fault tolerance.

    The DC's in branch offices need to communicate with the DC's in other sites, in the same domain and even in the forest. The database needs to replicate updates to all DC's. Plus, the FSMO roles are only hosted on one of the DC's (some roles one DC per domain, some one per forest).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, March 28, 2017 6:05 PM
  • So the root domain can be created on my first dc(location londonn) and also on the first dc i can create the child domains? >>>

     When you create root domain then you can configure child domain on parent.

    America.mycompany.com, i need to install that first dc as a new domain to an existing forest? >>>

     Ex;You will create root domain as "mycompany.com"(london) then configure "America.mycompany.com" under root as a child domain(NYC).And last, do the dnsservers in the branchoffices london and new york(both in their own tree if i am correct) need to communicate with eachother? if so, how? >>>

     Yes they need to communicate with each other.(need to access necessary ports.)And maybe you can configure site to vpn,etc..So you should check this network team.

    site to site vpn ; http://computer.howstuffworks.com/vpn4.htm

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx?f=255&mspperror=-2147217396

    If so, i should chose the tree domain option? >>>

    Totally depends on your needs,also you can configure different two domain.(but need to different domain names,like abc.com , xyz.com) Then configure domain trust between these 2 domain to access resources.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, March 28, 2017 7:24 PM