They are definitely a traffic boundary if you want them to be. This requires a lot more planning for it to actually be the case though.
Thanks, Brian Desmond [email protected] c - 312.731.3132 From: David Lum [mailto:[email protected]] Sent: Tuesday, November 10, 2009 8:19 AM To: NT System Admin Issues Subject: RE: Active Directory design in the win2008 R2 world +1 Domains are an administration boundary, not a traffic boundary. You will have DC's and GC's all over the place but not different domains, and as you said, since 2008 allows different password policies you don't even need different domains for that. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Steven M. Caesare [mailto:[email protected]] Sent: Tuesday, November 10, 2009 5:05 AM To: NT System Admin Issues Subject: RE: Active Directory design in the win2008 R2 world Agreed... 1 domain. Additional complication requires justification. Ask them to quantify the additional traffic load for the expected domain topology and provide traffic statistics demonstrating that a single domain environment would be problematic. -sc From: Pauls Hotmail [mailto:[email protected]] Sent: Tuesday, November 10, 2009 6:31 AM To: NT System Admin Issues Subject: Active Directory design in the win2008 R2 world What's the collective wisdom these days regarding the justification of deploying multiple domains as a means of limiting replication traffic? I have an instance here where every part of me wants to suggest a single forest/domain as the optimum solution, but a couple of other admins are pushing for multiple domains purely with the justification of controlling AD object replication. The AD will be a completely new implementation based on Win 2008 R2, there are about 8 countries in scope, but all have extremely good/fast MPLS WAN links between them. There are currently only about 1200 users in total, and Exchange 2010 will be going in as well. I'm proposing a single domain, with multiple AD sites, as there's no other good reason for over-complicating the design with additional domains, i.e. none of the traditional justifications for adding additional domains apply in this case.. Plus I believe at least some of the traditional justifications no longer apply in W2008 anyway do they? - things like needing domains for the purpose of applying differing password policies for example, now that we have the new granular password policy ... Can anyone point me in the direction of some best practice design guidelines that would cast some light on these questions? - it's been a few years since I was last "properly" involved in AD design, so I'm conscious that things have moved on in the AD world, and I probably need to take up-to-date information into consideration.. Many thanks. Paul Gordon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
