When planning a multiple-domain structure, keep the following design issues in mind:
SecurityOne of the reasons a multiple-domain structure might be created is to meet the security requirements of a business. If the business implements decentralized administration and needs to maintain a distinct security boundary between its various business units, a multiple-domain structure must be established. Creating a separate domain in the forest for each business unit enables each one to maintain its own administration. If the different locations or departments in a business have different security needs (such as password requirements) or a single security policy for the entire organization cannot be agreed on, multiple domains might have to be created. This way, the administrators from each domain can establish security policies that meet their specific requirements.
WAN or LAN ConstraintsChapter 2 explained that replication is based on the multimaster replication model. All domain controllers in a domain are equal, and all maintain an up-to-date working copy of the directory database. This results in more replication traffic in a domain (as opposed to between domains) because any changes made to the directory is replicated throughout the domain to all domain controllers.
The point of this discussion is that if the organization has LAN or WAN links that are slow, unreliable, or already heavily used, the linked might not be capable of supporting the amount of replication traffic generated in a domain. In cases such as this, multiple domains must be created to optimize replication.
Let's take a look at an example. If the XYZ Corporation implements a single-domain model, all the objects and their associated attributes will be replicated to every domain controller in every location. Then, every time a change is made to the directory, the change will be replicated throughout the domain. If the physical link between the NY domain and Paris domain is slow, this might not be the best model to implement. To optimize replication, at least two separate domains should be created so that replication traffic can be reduced across the slow link. Legal IssuesIn today's world of enterprise networks that span different countries , you might need to consider certain legal issues when planning domains that might result in the implementation of a multiple-domain structure. For example, a business that has an international presence might be required to maintain separate domains for its overseas locations. An organization might also need to keep employee information for its European subsidiaries separate from U.S. employees because the European Union has much more stringent confidentiality requirements than the U.S. does. To meet the security requirements of different countries, separate domains would have to be created. Domain-wide PoliciesIf creating different security configurations for different groups of users and computers throughout the business is necessary, you also might need to create more than one domain. Only a thorough assessment of a business's security requirements will determine whether more than one domain is needed. The following are some security options set on a domain basis:
If a business requires unique security policies to be applied to different groups of users in a business, more than one domain is required because these settings are applied on a domain basis. For example, if the XYZ Corporation requires a separate, more secure password policy to be applied to its employees in the Paris location, a multiple-domain model would have to be implemented.
|