So here is the scenario-
We are in the process of centralizing IT to a data center in a single location. I currently have 12 different operating companies that need a shared security and exchange functionality. As it stands they are all separate individual domains of varying levels. There is a company wide accounting system that needs to be integrated with AD currently running in a completely separate domain as well that I would like to see people using their own AD log on info to use.
Here is my question-
Knowing that all the Active directory domains need to be touched regardless to get them all up to a uniform functional level and that there is significant work to be done no matter what, which configuration would be best? I know there are several points to each one, but I want to make sure I am covering my bases now before choosing a path. Do I go for a single forest\parent domain? Or separate domains using trusts between the corporate domain and the operating companies like a spoke and hub config? What are the pros and cons of each?
Thanks-
Additional details:
There is some need to have administration delegation…it operates as more of a franchise environment than a single company. There will be administration staff responsible for just their company and nothing more. The hardware and software overheads are a non-issue, each company uses a different set of policies anyway, so the policy portion provides no real advantage or disadvantage.
If operating companies are spread out across the US does this change your recommendations at all?
Best Answer
The strongest reason to not go with a single domain (and forest) is if you absolutely have to have separate admins in each forest. That's the security boundary. If the same folks are going to have the full set of keys, then make it easy on them. To be clear, I'm not talking about delegation for certain tasks - this is the group of people who are going to be enterprise admins.
This doesn't change my recommendations much, because you can delegate things out as needed, as I said above. If part of the org has local admins that need to be able to edit the GPO that is assigned to their OU, you can give that to them, as an example. However, if they need total control over their part of the domain, to the point that they need to be able to lock you out of it, then you need separate forests, and might have a tough time sharing exchange. So, since you're sharing "security and exchange", it sounds like a single domain is still the right way to go.