My company is opening a new site in a different country. We will be installing new servers there and I have a question I can't decide on. Should we create a new domain in the forest or should we just use the same domain and implement a new domain controller, possibly and RODC?
The two companies are separated, but collaborate tightly. Also we manage IT for both of them, but I can't exclude they might have an IT of their own when they grow up. We access common network shares and might use resources located in both companies. Also, some of our users are often traveling from one company to the other.
The advantages I see in a new domain are mainly related to a tidier organization, better management in case of a dedicated department while still retaining the advantages of using GPOs from the forest. I'd set up a trust to let users access data in different domains.
The only disadvantages I see might be in having to add both usergroups in some cases and possibly some kind of problems with software based on AD if not properly set. I have no experience with this, so I'd like to hear your opinion about it and maybe help me figure out where the issues might arise.
Best Answer
Creating another domain adds complexity. To the extent that you are able to maintain a single domain environment you will limit complexity. I find that administrative activities are easier in a single domain environment.
Visual organization ("a tidier organization") could be accomplished with other features, like organizational units (OUs) in Active Directory. Personally, I wouldn't consider such "tidiness" reason enough to create a second domain.
Just about any delegation of control scenario that you can envision in a multi-domain environment can be handled in a single domain by delegating control at an OU.
From a logon efficiency perspective it makes sense to have Domain Controller (DC) computers at a location for whatever domains will be used in that location. If you are going to have users travelling between locations you will need more DCs (one for each domain, at minimum) if you have a multi-domain environment.
Cross-forest Group Policy Objects (GPOs) have, in my experience, been somewhat flaky. You will need a DC from the domain where a GPO is hosted well-connected to machines that apply GPOs from that domain. That may also cause to need more DCs in a multi-domain environment as compared to a single domain.
My opinion is that a multi-domain environment is only necessary when you require multiple domain-level password policies (and can't make use of fine-grained password policy within a single domain for some technical reason), or when the domain replication traffic would be so extreme as to warrant isolation to limit replication traffic.
Edit:
If you really do need separation, legally or organizationally, then a separate Forest for the other company is really the only way to go. Separate domains in the same forest offer no practical separation, aside from partitioning the replication of the Directory.