Hi, It really in my mind depends on security and functionality. You would have to ask yourself what the limitations are currently and by moving to a new config what would you gain? I like the location naming scheme because it is easy to remember what portion of the network your are dealing with. If you do it based on project or company function, those things change from time to time where locations are more stable. Depending on who you ask you will get a different answer regarding the security concerns that go with it. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 9:11 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: Re: [Blind-sysadmins] Active Directory site/domain design All of our topology is connected via VPN, and for whatever reason, separate domains came out of it ... I think that it happened by instinct, and if the domains are already created with trusts, regardless of whether it was necessary to do so or not (I don't think it is since ADSS controls location, not the domain name), is it worth tearing it apart to accommodate for a single-domain design just because? And also, if different parts of the network, hence the different locations, handle different parts of the same project, is it a good idea to have separate domains then in that case? Also, do you recommend that if we go the multiple domain route due to not wanting to tear apart working infrastructure, is it a good idea to name the child domains based on location, or based on project function? Those running things seem to prefer everything named by location, however, I tend to prefer project-based or personality-based naming, so there's always that debate going on. For instance, the VPNs are named via location. Mine's Wilmington Mass, so the site would be Wil-MA. Putting a separate domain as well named that, that's sort of repetitive, don't you think? It could have to do something with the VPN as for why the domains are separate, though I didn't think they were hand and hand. We're doing some reorganizing in the near future anyway, so I'll be sure to mention this conversation; for I don't have either enough workstations or servers, I feel to warrant an entire separate domain. I think that we should do it by OUs with projects specified inside them and then have a single domain with the different OUs inside. The unfortunate thing is that the domain infrastructure was already built before I mentioned this, so is it worth taking it down, or should we continue on our same course? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Tuesday, April 18, 2017 8:51 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Good Morning, If your locations are on a network together such as a VPN, yes it would be better to have them on the same domain. You could have domain controllers at each site and depending on your needs they could be regular domain controllers or read only. If I were building it, that is how I would do it. Otherwise you would do it the way you are talking about and using domain trusts. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 8:24 AM To: 'blind-sysadmins@lists.hodgsonfamily.org' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: [Blind-sysadmins] Active Directory site/domain design Hi all, In a multiple site design, is it necessary or recommended to have a separate domain for each site as a child of the primary domain? Or is Active Directory Sites and Services enough for site separation, or does it depend on the purpose for the site design? I'm just curious what everyone thinks, because our setup has a domain for each site, and I'm trying to see if we can possibly cut that down to a single domain, since we're all part of the same project, just different locations, and would it not be possible to configure which domain controller a computer logs onto via locale alone, or does it have to be done via domain? I've not done this in a while, so I'm asking the experts. Thanks. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins