Planning Multiple Domains

When your organization is complex enough, or simply large enough, that you know you're going to have to create multiple domains, you should spend the extra time up front planning exactly how to implement them. Time spent on the front end will be paid back later many times over.

Draw out your planned domain structure and compare it to your planned (or existing) namespace. Decide what simply must be a domain and what can comfortably be an OU. Identify which servers will be your domain controllers. Keep in mind that the concepts of primary domain controller and backup domain controller from Windows NT are gone. All servers within a domain are of equal weight and importance. Changes made to any domain controller are propagated to all other controllers within the domain. If simultaneous changes are being made against multiple controllers, Active Directory uses update sequence numbers and the timestamps of the changes to resolve any conflicts.

Planning a Contiguous Namespace

When you are planning a contiguous namespace, and thus a single tree structure, you'll initially want to create the root domain for the namespace. In this namespace, you should create the primary administrative accounts, but it is best to leave the creation of other accounts until later. User and machine accounts should reside in the leaf of the tree where they are going to do the majority of their work. This is the reverse of Windows NT, where, if you are running multiple domains, you often have to create all your user accounts at the highest level of the domain because of the nature of trust relationships.

If you're migrating from an existing Windows NT environment, you might have your users in a single- or multiple-master domain. You can continue this arrangement, and it might be the easiest way to migrate from an existing environment. See Chapter 7 for a more thorough discussion about upgrading domains.

Determining the Need for a Forest

If you have an environment in which there are already multiple root domains, or where a contiguous namespace doesn't exist, you'll need to create a forest rather than a single tree environment. The first step is to take a long, hard look at your noncontiguous namespaces. Is there any opportunity to consolidate them into fewer contiguous namespaces? Now is definitely the time to do this. It will be much harder to consolidate them later, and you'll have a harder political battle as well.

Creating the Forest

If you've decided that there is simply no way to get down to a single, contiguous namespace, meaning that you'll need to create a forest, you should decide exactly where the root of each tree in the forest will reside. Think about the physical locations of your potential domain controllers, the layout of your network, the bandwidth of various sites, and the current existence of Windows NT 4 domains and controllers. Once you have a good physical and logical map of your network, you're in a position to plan your domain strategy.

Create your root-level domains first and then start building your trees. This isn't an absolute requirement—if you miss a tree or something changes, you can go back and add another tree to your forest. However, it's generally better to create the roots first, if only for the purpose of getting things lined up and getting your tree-to-tree trust relationships in order.

Once you've created the root of a tree, there is no easy way to rename or delete it, so don't rush into creating your domain structure. Planning it out in detail will save you a huge headache in the long run.