I work for an educational establishment that currently has three geograpically seperate schools, and about to open a fourth. Each school has 600+ computers and 1000+ users.
At the moment our Active Directory is set up to split the schools into three domains.
- school1.internal
- school2.school1.internal
- school3.school1.internal
Each school is mostly independent from each other, with very few users that need to cross over. There is one Exchange server group but with one server at each school.
The network director has decided that he wants Exchange to be externally managed, as "School1" have messed about so much with theirs that it no longer works correctly.
The company that is doing this outsourcing has suggested that it may be better to have one domain with separate Organisation Units for each site, my thoughts are they want to do this as it's easier for them.
The way we've been running has served us quite well, with very little being able to cause any issues with the other schools when one has a problem, I would prefer not to change as this change will no doubt, at least in the beginning, introduce some instability.
The three sites are currently connected by 2Mbit links, when the 4th school opens then the schools will be moved over to a 100mbit link (this is a separate project and more to do with a new VLE than as a network issue)
What would be the arguments for and against a multi domain setup or a location OU based setup?
Best Answer
AS there is little crossover requirements I would recommend setting them up as suggested, one domain with appropriate OU's beneath them.
If setup with the relevant "sites" with at least one domain controller at each and with at least one Global Catalog at each site (no reason not to have each DC be a GC)
Once you migrate to the 100MB/s WAN even high volume DFS transfers would pose little issue.
Maintaining it as one domain with multiple sites and appropriate OUs for permissions, installations, group security etc. means that should all domain controllers in one site fail, all machines, with the exception of machines that are told specifically to look at one domain controller for authentication e.g. an application that is querying a domain controller for LDAP services, should still be able to log in and use network resources.
Over a 2Mb/s link this would be suboptimal but should be an edge case scenario, i.e. server room burns down but comms room is okay etc. Over a 100Mb/s link how is that any different to a normal domain config?