Published: February 25, 2008
The second step in Active Directory design is to determine the number of domains that are required to meet the organization’s objectives. Because each forest is unique and separated from the other forests, the number of domains in each forest must be considered independent of the other forests.
The addition or removal of a domain after the initial design has been implemented is not always simple. Migration of computers, users, data, and applications could make the modification to the number of domains a complex task.
Option 1: Single Domain
The design will need to have at least one domain. If there are multiple forests, then there will need to be one domain per forest, minimum. A single domain model has the following advantages and benefits:
- A single domain is the least expensive option. Additional domains increase the cost of hardware, software, and administration.
- A single domain is easier to manage. Management overhead and the related costs increase with additional domains.
- A single domain is easier to recover in the event of a disaster.
Option 2: Multiple Domains
Any of the following requirements will lead to a design with multiple domains:
- In environments that consist of a combined total of 100,000 user or computer objects, tests should be performed in the lab to ensure that the replication load does not overwhelm the replication topology for the domain. Multiple domains may be required to reduce the overall domain replication load.
- If Active Directory has a large number of frequently changing attributes, it may be useful to break the environment into multiple domains to control the replication within the domains. Testing should be done in a lab to determine if multiple domains reduce the replication traffic in a significant way.
- The compression algorithm used to replicate directory service changes across slow links is highly efficient. However, if slow links still cause issues for replication, a separate domain might be necessary. This scenario can be challenging when there are numerous changes occurring to directory service objects on a regular basis.
- An existing Microsoft directory, running on an earlier operating system level, needs to be preserved. To do so, the environment can be separated into its own domain.
Note Windows Server 2008 supports fine-grained password policies. This new technology supports multiple password policies in the same domain. Windows 2000 or Windows Server 2003 domains will support only one password policy per domain.
By choosing to have multiple domains, the cost of managing the environment is affected in the following ways:
- Additional staff may be necessary to maintain the domains, each of which will have its own administrator group.
- More staff might be necessary to manage multiple domains, which involves a more complex set of management requirements.
- Additional hardware and software must be acquired to instantiate the domain.
- Group Policy settings that need to be applied to the domain or OUs in domains across the forest will need to be applied separately in each domain.
How Many Domains?
Once the need for multiple domains has been identified, the exact number of domains per forest is determined. A separate domain will be added to address each of the considerations that have been identified.
Evaluating the Characteristics
A single-domain directory is the least complex environment.
Complexity increases with the addition of each domain. However, just adding another domain does not add as much complexity as it does for cost and manageability.
The cost to set up and operate a single domain is the lowest possible.
Setup costs rise with each additional domain because of the requirements of installing and configuring each domain controller, not to mention the hardware and software cost for each domain controller.
Validating with the Business
In addition to evaluating the decision in this step against IT-related criteria, the effect of the decision on the business should also be validated. The following questions have been known to affect domain design decisions:
- Is there a need to separate a business unit because of legal requirements? Some companies and many governmental, university, or military environments require that some users and computers exist in a separate domain. If such a policy exists, it should be re-evaluated as the domain is no longer the security boundary it was in Windows NT® 4.0 and previous versions. If the policy is around isolation requirements, a separate forest will be required.
- Are there different administrative units that need to be autonomous? In most cases, using delegation at the OU level within a single domain can provide autonomy to administrative units. However, politics, corporate structure, administrative controls, and other factors might cause a need for additional domains instead.
A single domain is the default configuration for each forest. Add domains only as necessary to solve technical and business concerns that can’t be solved within a single domain. Additional domains cost more to install and increase the hardware and software needed to run the domain controllers in each domain.
Remember to record the decisions made in the job aid in the appendix of this guide.
Important! The number of domains will need to be determined per forest.
“Creating a Domain Design” at https://technet2.microsoft.com/windowsserver/en/library/60b6817e-4123-4bb0-8646-964c83b2e3281033.mspx?mfr=true
“AD DS: Fine-Grained Password Policies” at https://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true