Good information here! I currently manage 1 domain and 2 sites, definitely learning something out of this conversation. It's one thing to know it by books, but when you hear this from experts, it's awesome! Thanks for sharing. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart via Blind-sysadmins Sent: Tuesday, April 18, 2017 9:15 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Cc: Ryan Shugart <ryshugar@microsoft.com> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi: At my previous job I managed active directory for an organization with offices on six contenents ranging in size from 5 people at an office to over 100. We had 2 domains, no domain trust. One domain had all internal resources, the second domain had any customer facing resources that needed to be isolated due to security concerns, AKA separating customer data from employee data etc. Accept for that reason, I see no need for a ton of domains. Just have one domain, a DC at any larger office, and use subnets and sites to control logons. Also perhaps create OUs per site so you can organize things and manage GPO settings better, you can apply GPOs per site but I think its easier to apply them per OU. Also keep in mind if you have any software that's using LDAP for authentication/directory access and not active directory APIs, OUs appear in LDAP paths, sites don't. Also for smaller sites, with good connectivity I'm not even sure there's a need for a DC at that site, readonly or otherwise. When we had our AD audit with Microsoft they really discouraged the use of RODCs, and said if you have a small site with lax security perhaps consider why you need a DC there anyway as cashed logons and connecting the nearest DC may be a better option. We had a bunch of smaller offices with no domain controlers, and honestly people normally never noticed an issue. Ryan -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 7:43 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: Re: [Blind-sysadmins] Active Directory site/domain design We have sites already, but for some strange reason, child domains were chosen for each site until I said something. Who knows, there could be a reason for that of which I'm not aware, and I think it's being re-evaluated. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: Tuesday, April 18, 2017 10:17 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi, One other thing I forgot to say that if you use DFS you will want to use sites/subnets for the same reason, I had DFS replication set up and users always accessed the shares through the best file server for their location. Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Andrew Hodgson [andrew@hodgsonfamily.org] Sent: 18 April 2017 14:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi, Personally I prefer as few domains as possible, and use sites/subnets to separate everything. When I worked for my previous employer I had one domain with many sites, and DCs in those sites. I had a mix of site-to-site VPN and datacentre type links connecting, but each site had their own subnets. This was removing the multiple child domains I had before. I created the sites and subnets, assigning each of the subnets to the specific site, then moved the DCs into the sites. This cuts down on replication traffic and also trust/permission issues. Machines will log in using the closes DC per site. Obviously if you are making changes to the AD which may brake stuff, then you need to do that in a separate domain until you are comfortable with the changes you make, that is where separate domains have an advantage, as you can always re-create the domain with less impact. Note if you create child domains all domains share the same schema so if the root domain brakes you are in big trouble. Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Katherine M. Moss via Blind-sysadmins [blind-sysadmins@lists.hodgsonfamily.org] Sent: 18 April 2017 14:38 To: Blind sysadmins list Cc: Katherine M. Moss Subject: Re: [Blind-sysadmins] Active Directory site/domain design Not sure whether security is as much of a concern here; we all trust one another, and we often overlap infrastructure access to help each other out with tasks. The main purpose of the project is for learning and community knowledge exchange, so we are as transparent as possible. And is there any point to having a separate domain in which there are only about two workstations and two servers? My site is the smallest, with the least resources right now. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Tuesday, April 18, 2017 9:22 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi, It really in my mind depends on security and functionality. You would have to ask yourself what the limitations are currently and by moving to a new config what would you gain? I like the location naming scheme because it is easy to remember what portion of the network your are dealing with. If you do it based on project or company function, those things change from time to time where locations are more stable. Depending on who you ask you will get a different answer regarding the security concerns that go with it. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 9:11 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: Re: [Blind-sysadmins] Active Directory site/domain design All of our topology is connected via VPN, and for whatever reason, separate domains came out of it ... I think that it happened by instinct, and if the domains are already created with trusts, regardless of whether it was necessary to do so or not (I don't think it is since ADSS controls location, not the domain name), is it worth tearing it apart to accommodate for a single-domain design just because? And also, if different parts of the network, hence the different locations, handle different parts of the same project, is it a good idea to have separate domains then in that case? Also, do you recommend that if we go the multiple domain route due to not wanting to tear apart working infrastructure, is it a good idea to name the child domains based on location, or based on project function? Those running things seem to prefer everything named by location, however, I tend to prefer project-based or personality-based naming, so there's always that debate going on. For instance, the VPNs are named via location. Mine's Wilmington Mass, so the site would be Wil-MA. Putting a separate domain as well named that, that's sort of repetitive, don't you think? It could have to do something with the VPN as for why the domains are separate, though I didn't think they were hand and hand. We're doing some reorganizing in the near future anyway, so I'll be sure to mention this conversation; for I don't have either enough workstations or servers, I feel to warrant an entire separate domain. I think that we should do it by OUs with projects specified inside them and then have a single domain with the different OUs inside. The unfortunate thing is that the domain infrastructure was already built before I mentioned this, so is it worth taking it down, or should we continue on our same course? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Tuesday, April 18, 2017 8:51 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Good Morning, If your locations are on a network together such as a VPN, yes it would be better to have them on the same domain. You could have domain controllers at each site and depending on your needs they could be regular domain controllers or read only. If I were building it, that is how I would do it. Otherwise you would do it the way you are talking about and using domain trusts. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 8:24 AM To: 'blind-sysadmins@lists.hodgsonfamily.org' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: [Blind-sysadmins] Active Directory site/domain design Hi all, In a multiple site design, is it necessary or recommended to have a separate domain for each site as a child of the primary domain? Or is Active Directory Sites and Services enough for site separation, or does it depend on the purpose for the site design? I'm just curious what everyone thinks, because our setup has a domain for each site, and I'm trying to see if we can possibly cut that down to a single domain, since we're all part of the same project, just different locations, and would it not be possible to configure which domain controller a computer logs onto via locale alone, or does it have to be done via domain? I've not done this in a while, so I'm asking the experts. Thanks. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433001366&sdata=%2FSK8GRJfuMHIVlBVsUuv2XbK3f5UbNfZ7zCgxwPSaLc%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.hodgsonfamily.org%2Flistinfo%2Fblind-sysadmins&data=02%7C01%7Cryshugar%40microsoft.com%7C0d39589ef3694f6653cf08d486691ed4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636281233433011368&sdata=q3TABMJ7WfzrCx%2FaUqrtvBj1TITf74k1IuR4x9osDDs%3D&reserved=0 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins