none
Active Directory Design

    Question

  • Hi Experts

    We have 120 operation centers spread across 12 countries. Now need to configure Active Directory solution for 120 locations.

    According to business requirement all users should be able to access all resources and must be authenticated while roaming between these 120 operation centers.  Out of 120 operation centers we have  Development and Testing in 10 locations and planing to isolate.

    Users will have common domain email solution.

    Please suggest the forest and domain design approaches for 12 countries and 120 locations.

     




    Monday, March 27, 2017 10:09 PM

All replies

  • I would recommend one forest and one domain, with 120 sites. This provides the best flexibility for users roaming between locations. The 10 development sites can be in their own Organizational Unit (or Units). Depending on the level of isolation you require, it might be necessary to place these 10 development sites in a separate domain, but that would mean just two domains at most. Where different policies are needed, create different OU's, not domains.

    Really, the only time more domains are required is when you have separate support organizations and management (not technology) demands security boundaries separating the networks. But that makes things complicated.

    Edit: Relevant link:

    https://social.technet.microsoft.com/wiki/contents/articles/463.design-considerations-for-delegation-of-administration-in-active-directory.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, March 28, 2017 1:21 AM
  • First, you need to have network communication between all sites.

    Then, for Active Directory, you could have only 1 domain and manage all sites through AD Sites & Services.  For the Dev. and Testing team, you could create a separate domain just for them and configure a Forest trust (selective Authentication).  this will give you the flexibility to allow only specific peoples to access this domain.

    The advantage of this design is because it's a lot easier to manage.  (My first choice)

    For the emails, having Dev. and testing email in another domain is not a big deal.

    Having only 1 domain (for most users) will require to have a very good OU design. You could chose to design per location or per department, it depend how you want to manage your environment (and what is the business requirements).  OU design is important because of the GPO's.

    This may help you

    https://technet.microsoft.com/en-us/library/2008.05.oudesign.aspx

    But there is a lot of things to take care before choosing the righ design, otherwise you could create headache to your IT department.


    This posting is provided AS IS without warranty of any kind

    Tuesday, March 28, 2017 1:22 AM