New Corporate Domain

I'm in the unique position of being able to rebuild an entire corporate
network from scratch. We have 5 existing branch offices and one head office,
all totally seperate and built on various technologies with an extra 5
offices opening within the year. I am planning a sub-domain scenario (each
branch office & HQ will be a sub domain of the corporate domain) using purely
win 2K3 servers and Microsoft Technologies and was wondering what the ideal
domain controller numbers would be.

I was planning a corporate level network for scalability as follows

corp.company.com acting as the first tier of an active directory forest.

I'll be treating the head office and branch offices as branch offices.

branch1.company.com, branch2.company.com etc. etc.

Head office will be located in the same building as the corp domain but will
be treated as a branch office. Each office is independant of one another but
will share an exchange organisation and Internet Connection.

Now my question.

Where should the two domain controllers for each branch be located? 1 at the
Copr level 1 at the Branch level or 2 at the branch level or should I even
need two domain controllers for each sub domain? Will 1 suffice if
availability is not critical.

Apologies if the answer is simple. I'm not certain how stable win 2K3 server
is.

Kind Regards

Paul Devine

Hi Paul,

What is the main reason that you decided to go with sub-domain? What do you
expect to be different in multiple domains compared to single domain?

From security standpoint my question is, can these domain controllers in
branch offices be physically secured (e.g. in a room where no one else have
access)?

Regarding one domain controller per branch office. If that one domain
controller goes down users will not be able to work with network resources
that need authentication (e.g. access file server, print documents) till you
fix this problem (e.g. by doing a restore of failed domain controller or by
setting up new sub-domain and joining all these computers to this new domain
(and you would have to also change all permissions on shares, file and print
servers, ...)...

--
Mike
Microsoft MVP - Windows Security

"Paul" <(E-Mail Removed)> wrote in message
news:71C9355A-95C4-4142-973D-(E-Mail Removed)...
> I'm in the unique position of being able to rebuild an entire corporate
> network from scratch. We have 5 existing branch offices and one head
> office,
> all totally seperate and built on various technologies with an extra 5
> offices opening within the year. I am planning a sub-domain scenario (each
> branch office & HQ will be a sub domain of the corporate domain) using
> purely
> win 2K3 servers and Microsoft Technologies and was wondering what the
> ideal
> domain controller numbers would be.
>
> I was planning a corporate level network for scalability as follows
>
> corp.company.com acting as the first tier of an active directory forest.
>
> I'll be treating the head office and branch offices as branch offices.
>
> branch1.company.com, branch2.company.com etc. etc.
>
> Head office will be located in the same building as the corp domain but
> will
> be treated as a branch office. Each office is independant of one another
> but
> will share an exchange organisation and Internet Connection.
>
> Now my question.
>
> Where should the two domain controllers for each branch be located? 1 at
> the
> Copr level 1 at the Branch level or 2 at the branch level or should I even
> need two domain controllers for each sub domain? Will 1 suffice if
> availability is not critical.
>
> Apologies if the answer is simple. I'm not certain how stable win 2K3
> server
> is.
>
> Kind Regards
>
> Paul Devine
>
>
>

"Paul" <(E-Mail Removed)> wrote in message
news:71C9355A-95C4-4142-973D-(E-Mail Removed)...
> I'll be treating the head office and branch offices as branch offices.
> branch1.company.com, branch2.company.com etc. etc.

Ok.
Investigate the use of the AD "Sites" object.

> Head office will be located in the same building as the corp domain but
will
> be treated as a branch office. Each office is independant of one another
but
> will share an exchange organisation and Internet Connection.

A centralized Internet connection might be a disaster because you are
combining the bandwith of all the sites into one central link which will
slow to a crawl unless you have tons of money to throw at some massive sized
lines going out of the HQ.

If the Sites are connected using VPN, then they already have their own
Internet connection anyway,...just let them each use their own.

> Where should the two domain controllers for each branch be located? 1 at
the
> Copr level 1 at the Branch level or 2 at the branch level

Yes. 2 DCs at every physical location. They need to continue to function
even if they loose one DC or if the WAN link to HQ goes down.

> Apologies if the answer is simple. I'm not certain how stable win 2K3
server
> is.

How stable to do you think a bunch of MS Product users in an MS hosted news
group who have devoted their careers to MS Product think that Win 2k3 Server
is going to be? Heck I've got a few NT4 Servers that haven't been rebooted
in over 2 years. My newer servers 2000 & 2003 haven't been rebooted in
years apart from installing updates that required a restart.

The stability of your server is related to the quality of what you load on
it. It is almost always the non-MS products that cause most of the problems
and "reboots". If all it has on it is Windows by itself it would almost
never be rebooted apart from normal maintenance and update tasks that may
require rebooting.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Thank you for the information.

I didn't mean to sound condescending regarding windows server in my post if
that is how it came across. I'm happy that you agree Windows Server is
stable. I wanted a network that was very easy to manage and stable which is
why I'm looking at MS Products. Regarding the channelling of all the internet
connections through HQ. The idea was that Internet traffic could be monitored
and managed from a central location and centralised system like ISAServer.
We have limited IT resources and private WAN links to HQ seem to me a very
secure method. I will consider each office having their own internet links
and connecting to HQ through VPN though. Thanks for the suggestion.

From reading MS's BOIS documentation and the other branch office solutions
on MS's site I got the impression that they recommend a sub-domain (multiple
AD sites) setup instead of a single domain setup for multiple offices due to
less load on the WAN links. If I were to set up seperate AD sites in a single
domain environment would replication traffic be an issue? The HQ domain
controllers and some of the branch offices are very secure. Some of the
smaller offices the DC's wouldn't be as secure and I can see this would be a
problem, but I do require at least a Controller for them to authenticate with
incase of a WAN or VPN link failure depending on what we go with.

"Paul" <(E-Mail Removed)> wrote in message
news:24E9D3DA-CB05-424C-A018-(E-Mail Removed)...
> Thank you for the information.
>
> I didn't mean to sound condescending regarding windows server in my post
if
> that is how it came across.

No problem.

> From reading MS's BOIS documentation and the other branch office solutions
> on MS's site I got the impression that they recommend a sub-domain
(multiple
> AD sites) setup instead of a single domain setup for multiple offices due
to
> less load on the WAN links.

That is not entirely true. Multiple AD Sites and Multiple Sub-domains are
two different things. You can have many sub-domains and only one Site,...by
the same token you can have one Domain and many Sites. I'm not preaching
against Multiple Sub-domains, if you want them, fine, no problem,...but I
just don't want you to think you need them just because of the slow WAN
links.

A Site is defined by a physical location separated by a slow WAN link. The
purpose of the Site is to manage replication over a Slow WAN link. A single
domain will work just fine over WAN links as long as there is a DC (or 2)
at each Site.

The purpose of the sub-domain (IMO) is often political. I gives the local IT
Staff at the individual Site more control over what happens in their own
"world" than it does if there is just one single large Domain. If there is
no IT Staff at each location. then you may be better off (IMO) with just a
single domain with DC distributed at each site. The sub-domains still have
to replicate with the primary domain regaurdless, so you still have
replication traffic over the WAN in any case whether single domain or
multi-subs.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Phillip Windell wrote:
> "Paul" <(E-Mail Removed)> wrote in message
> news:24E9D3DA-CB05-424C-A018-(E-Mail Removed)...
>> Thank you for the information.
>>
>> I didn't mean to sound condescending regarding windows server in my
>> post if that is how it came across.
>
> No problem.
>
>> From reading MS's BOIS documentation and the other branch office
>> solutions on MS's site I got the impression that they recommend a
>> sub-domain (multiple AD sites) setup instead of a single domain
>> setup for multiple offices due to less load on the WAN links.
>
> That is not entirely true. Multiple AD Sites and Multiple
> Sub-domains are two different things. You can have many sub-domains
> and only one Site,...by the same token you can have one Domain and
> many Sites. I'm not preaching against Multiple Sub-domains, if you
> want them, fine, no problem,...but I just don't want you to think you
> need them just because of the slow WAN links.
>
> A Site is defined by a physical location separated by a slow WAN
> link. The purpose of the Site is to manage replication over a Slow
> WAN link. A single domain will work just fine over WAN links as
> long as there is a DC (or 2) at each Site.
>
> The purpose of the sub-domain (IMO) is often political. I gives the
> local IT Staff at the individual Site more control over what happens
> in their own "world" than it does if there is just one single large
> Domain. If there is no IT Staff at each location. then you may be
> better off (IMO) with just a single domain with DC distributed at
> each site. The sub-domains still have to replicate with the primary
> domain regaurdless, so you still have replication traffic over the
> WAN in any case whether single domain or multi-subs.

I would like to confirm Phillip's observations on sites and sub-domains.

Active Directory Sites and routing are the important things to consider
when you are looking at the physical layout of your WAN. That is what
determines how efficiently everything operates. AD Sites looks after the way
replication is handled and which DC a user will use to login.

Sub-domains are a separate issue. A single domain can be very large and
still be efficient under AD. The only reason to use sub-domains is to allow
delegation of authority to administrator(s) in a sub-domain. And as Phillip
pointed out, sub-domains are independent of the geography, while sites are
not. Your sites may be in different cities or states, while your sub-domains
may all be based at HO and split by function, such as manufacturing,
warehousing and distribution.