Domain Design Issues

Previous page
Table of content
Next page

When planning a multiple-domain structure, keep the following design issues in mind:

  • Security

  • WAN or LAN bandwidth constraints

  • Legal issues

  • Domain-wide policies

Security

One of the reasons a multiple-domain structure might be created is to meet the security requirements of a business. If the business implements decentralized administration and needs to maintain a distinct security boundary between its various business units, a multiple-domain structure must be established. Creating a separate domain in the forest for each business unit enables each one to maintain its own administration.

If the different locations or departments in a business have different security needs (such as password requirements) or a single security policy for the entire organization cannot be agreed on, multiple domains might have to be created. This way, the administrators from each domain can establish security policies that meet their specific requirements.

graphics/tip_icon.gif

Also keep in mind that the more domains you create, the more Domain Admins groups you have to monitor. This adds administrative overhead and can become difficult to track ( especially for security purposes).


WAN or LAN Constraints

Chapter 2 explained that replication is based on the multimaster replication model. All domain controllers in a domain are equal, and all maintain an up-to-date working copy of the directory database. This results in more replication traffic in a domain (as opposed to between domains) because any changes made to the directory is replicated throughout the domain to all domain controllers.

graphics/tip_icon.gif

Also keep in mind that every changed attribute associated with an object is replicated throughout the domain, which adds to network traffic. On the other hand, only certain attributes are replicated to Global Catalog servers in other domains.


The point of this discussion is that if the organization has LAN or WAN links that are slow, unreliable, or already heavily used, the linked might not be capable of supporting the amount of replication traffic generated in a domain. In cases such as this, multiple domains must be created to optimize replication.

graphics/note_icon.gif

Only a thorough assessment of the physical structure in the network will determine whether there are WAN or LAN constraints that will require multiple domains.


Let's take a look at an example. If the XYZ Corporation implements a single-domain model, all the objects and their associated attributes will be replicated to every domain controller in every location. Then, every time a change is made to the directory, the change will be replicated throughout the domain. If the physical link between the NY domain and Paris domain is slow, this might not be the best model to implement. To optimize replication, at least two separate domains should be created so that replication traffic can be reduced across the slow link.

Legal Issues

In today's world of enterprise networks that span different countries , you might need to consider certain legal issues when planning domains that might result in the implementation of a multiple-domain structure. For example, a business that has an international presence might be required to maintain separate domains for its overseas locations. An organization might also need to keep employee information for its European subsidiaries separate from U.S. employees because the European Union has much more stringent confidentiality requirements than the U.S. does. To meet the security requirements of different countries, separate domains would have to be created.

Domain-wide Policies

If creating different security configurations for different groups of users and computers throughout the business is necessary, you also might need to create more than one domain. Only a thorough assessment of a business's security requirements will determine whether more than one domain is needed.

The following are some security options set on a domain basis:

  • Password policy ” Determines the requirements for user passwords, such as a minimum password length

  • Account lockout policy ” Determines the guidelines for locking a user account out of the system

  • Kerberos policy ” Determines the settings pertaining to Kerberos security, such as session ticket expiration time

If a business requires unique security policies to be applied to different groups of users in a business, more than one domain is required because these settings are applied on a domain basis. For example, if the XYZ Corporation requires a separate, more secure password policy to be applied to its employees in the Paris location, a multiple-domain model would have to be implemented.

graphics/note_icon.gif

Because security policies are applied at the domain level, they must be applied and managed at each domain, which can increase administrative overhead.



Previous page
Table of content
Next page
MCSE Active Directory Services Design. Exam Cram 2 (Exam Cram 70-219)
MCSE Windows 2000 Active Directory Services Design Exam Cram 2 (Exam Cram 70-219)
ISBN: 0789728648
EAN: 2147483647
Year: 2003
Pages: 148
Authors: Dennis Scheil, Diana Huggins, Ed Tittel
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Software Configuration Management
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy