Andrew, I personally like your method. Definetly easier to manage. It would be nice if there was an easier way to deal with catastrophic failures with AD. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: Tuesday, April 18, 2017 9:58 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi, Personally I prefer as few domains as possible, and use sites/subnets to separate everything. When I worked for my previous employer I had one domain with many sites, and DCs in those sites. I had a mix of site-to-site VPN and datacentre type links connecting, but each site had their own subnets. This was removing the multiple child domains I had before. I created the sites and subnets, assigning each of the subnets to the specific site, then moved the DCs into the sites. This cuts down on replication traffic and also trust/permission issues. Machines will log in using the closes DC per site. Obviously if you are making changes to the AD which may brake stuff, then you need to do that in a separate domain until you are comfortable with the changes you make, that is where separate domains have an advantage, as you can always re-create the domain with less impact. Note if you create child domains all domains share the same schema so if the root domain brakes you are in big trouble. Andrew. ________________________________________ From: Blind-sysadmins [blind-sysadmins-bounces@lists.hodgsonfamily.org] on behalf of Katherine M. Moss via Blind-sysadmins [blind-sysadmins@lists.hodgsonfamily.org] Sent: 18 April 2017 14:38 To: Blind sysadmins list Cc: Katherine M. Moss Subject: Re: [Blind-sysadmins] Active Directory site/domain design Not sure whether security is as much of a concern here; we all trust one another, and we often overlap infrastructure access to help each other out with tasks. The main purpose of the project is for learning and community knowledge exchange, so we are as transparent as possible. And is there any point to having a separate domain in which there are only about two workstations and two servers? My site is the smallest, with the least resources right now. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Tuesday, April 18, 2017 9:22 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Hi, It really in my mind depends on security and functionality. You would have to ask yourself what the limitations are currently and by moving to a new config what would you gain? I like the location naming scheme because it is easy to remember what portion of the network your are dealing with. If you do it based on project or company function, those things change from time to time where locations are more stable. Depending on who you ask you will get a different answer regarding the security concerns that go with it. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 9:11 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: Re: [Blind-sysadmins] Active Directory site/domain design All of our topology is connected via VPN, and for whatever reason, separate domains came out of it ... I think that it happened by instinct, and if the domains are already created with trusts, regardless of whether it was necessary to do so or not (I don't think it is since ADSS controls location, not the domain name), is it worth tearing it apart to accommodate for a single-domain design just because? And also, if different parts of the network, hence the different locations, handle different parts of the same project, is it a good idea to have separate domains then in that case? Also, do you recommend that if we go the multiple domain route due to not wanting to tear apart working infrastructure, is it a good idea to name the child domains based on location, or based on project function? Those running things seem to prefer everything named by location, however, I tend to prefer project-based or personality-based naming, so there's always that debate going on. For instance, the VPNs are named via location. Mine's Wilmington Mass, so the site would be Wil-MA. Putting a separate domain as well named that, that's sort of repetitive, don't you think? It could have to do something with the VPN as for why the domains are separate, though I didn't think they were hand and hand. We're doing some reorganizing in the near future anyway, so I'll be sure to mention this conversation; for I don't have either enough workstations or servers, I feel to warrant an entire separate domain. I think that we should do it by OUs with projects specified inside them and then have a single domain with the different OUs inside. The unfortunate thing is that the domain infrastructure was already built before I mentioned this, so is it worth taking it down, or should we continue on our same course? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Tuesday, April 18, 2017 8:51 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Active Directory site/domain design Good Morning, If your locations are on a network together such as a VPN, yes it would be better to have them on the same domain. You could have domain controllers at each site and depending on your needs they could be regular domain controllers or read only. If I were building it, that is how I would do it. Otherwise you would do it the way you are talking about and using domain trusts. Kind Regards, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss via Blind-sysadmins Sent: Tuesday, April 18, 2017 8:24 AM To: 'blind-sysadmins@lists.hodgsonfamily.org' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Katherine M. Moss <KMoss@WinterHillSolutions.com> Subject: [Blind-sysadmins] Active Directory site/domain design Hi all, In a multiple site design, is it necessary or recommended to have a separate domain for each site as a child of the primary domain? Or is Active Directory Sites and Services enough for site separation, or does it depend on the purpose for the site design? I'm just curious what everyone thinks, because our setup has a domain for each site, and I'm trying to see if we can possibly cut that down to a single domain, since we're all part of the same project, just different locations, and would it not be possible to configure which domain controller a computer logs onto via locale alone, or does it have to be done via domain? I've not done this in a while, so I'm asking the experts. Thanks. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins