An additional query if I may... - What about DNS Namespace choice these days? - I've always had a personal preference to keep internal AD & public facing names unique & separate, i.e. NOT using the company's registered internet domain name as the AD forest name. Obviously this has implications for DNS configuration, but I've always felt it generally a "good thing" to maintain isolation between the public & private sides. - Any need to publish internal resource names outside of the corporate LAN can be achieved simply enough with products & technologies designed expressly for that purpose...
Anyone have any reason to violently disagree with this approach? - care to comment? TIA Paul G. From: David Lum [mailto:[email protected]] Sent: 10 November 2009 14:19 To: NT System Admin Issues Subject: RE: Active Directory design in the win2008 R2 world +1 Domains are an administration boundary, not a traffic boundary. You will have DC's and GC's all over the place but not different domains, and as you said, since 2008 allows different password policies you don't even need different domains for that. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Steven M. Caesare [mailto:[email protected]] Sent: Tuesday, November 10, 2009 5:05 AM To: NT System Admin Issues Subject: RE: Active Directory design in the win2008 R2 world Agreed. 1 domain. Additional complication requires justification. Ask them to quantify the additional traffic load for the expected domain topology and provide traffic statistics demonstrating that a single domain environment would be problematic. -sc From: Pauls Hotmail [mailto:[email protected]] Sent: Tuesday, November 10, 2009 6:31 AM To: NT System Admin Issues Subject: Active Directory design in the win2008 R2 world What's the collective wisdom these days regarding the justification of deploying multiple domains as a means of limiting replication traffic? I have an instance here where every part of me wants to suggest a single forest/domain as the optimum solution, but a couple of other admins are pushing for multiple domains purely with the justification of controlling AD object replication. The AD will be a completely new implementation based on Win 2008 R2, there are about 8 countries in scope, but all have extremely good/fast MPLS WAN links between them. There are currently only about 1200 users in total, and Exchange 2010 will be going in as well. I'm proposing a single domain, with multiple AD sites, as there's no other good reason for over-complicating the design with additional domains, i.e. none of the traditional justifications for adding additional domains apply in this case.. Plus I believe at least some of the traditional justifications no longer apply in W2008 anyway do they? - things like needing domains for the purpose of applying differing password policies for example, now that we have the new granular password policy ... Can anyone point me in the direction of some best practice design guidelines that would cast some light on these questions? - it's been a few years since I was last "properly" involved in AD design, so I'm conscious that things have moved on in the AD world, and I probably need to take up-to-date information into consideration.. Many thanks. Paul Gordon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
