The first step in creating a domain plan is to define domains. When you define domains, you determine the domains needed for each forest in your organization. This lesson discusses how to define domains, which includes assessing an organization's domain needs and determining the number of domains it requires.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
In Active Directory services, a domain is a partition of a forest, or a partial database. When you define domains, data is placed where it is most relevant in small databases, resulting in a large database that is efficiently distributed over the network. Recall that in Windows 2000 and Active Directory, domains represent security boundaries. Each domain has a unique name and provides access to centralized user accounts and group accounts maintained by the domain administrator. Active Directory is made up of one or more domains, each of which can span one or more sites.
There are two goals you should keep in mind when defining the domains for your organization:
Defining Domains Based on Geographical Structure
In Chapter 2, "Introduction to Designing a Directory Services Infrastructure," one of the ways you learned to represent the geographical structure of an organization was by diagramming your organization's network architecture. You should use your network architecture diagram as a guide when defining domains for your organization. You should also consider other infrastructures currently employed in the organization. For example, if your organization has already invested in a DNS structure, you should probably retain this structure. Similarly, if your organization is using a large Microsoft Exchange operation, you may want to base your domain structure on the same model. Before you change existing infrastructures, you must weigh the cost of the change against the potential benefits.
Because functional structures such as divisions, departments, or project teams are always subject to change, defining domains based on these structures in the organization is strongly discouraged. The domain structures you create in Windows 2000 are not as flexible as your business environment. Once you create a domain and place it in a hierarchy, that domain cannot be easily moved or renamed. If the domain is a forest root domain it can never be moved or renamed.
Minimizing the Number of Domains
One of the guiding principles for designing your Active Directory infrastructure is to design for simplicity; this includes minimizing the number of domains. Whenever possible, it's best to limit your infrastructure design to one domain that is administered through organizational units (OUs). Adding domains to the forest increases management and hardware costs.
If you are upgrading from Windows NT, it is likely that you will need to consolidate domains. The principles for defining multiple domains in Windows NT no longer apply in Windows 2000. These principles are
For information on designing OUs to delegate administration, see Chapter 5, "Creating an Organizational Unit Plan."
To define domains, you must complete the following tasks:
To define domains for your organization, you must first consult the following documents compiled earlier by your design team:
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the worksheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure." The forest model is discussed in Chapter 3, "Creating a Forest Plan."
In addition to assessing the information compiled in these documents, it is imperative that you also assess changes currently planned to business structures, network architecture, technical standards, and the existing domain architecture to address growth, flexibility, and the ideal design specifications of the organization.
You must determine the number of domains for each forest in your organization. While one domain may effectively represent the structure of small or medium-sized organizations, larger and more complex organizations may find that one domain is not sufficient. To determine the number of domains for your organization's Active Directory infrastructure, you must carefully consider the reasons for defining multiple domains. Before adding any domains you should be able to state the purpose of the new domain and justify it in terms of administrative and hardware costs.
These are the reasons to consider using multiple domains:
When you're attempting to justify a new domain, consider all of the reasons together; there may be more than one reason for defining a domain.
Do not use multiple domains to accommodate polarized groups or for isolated resources that are not easily assimilated into other domains. Both the groups and the resources are usually better candidates for OUs.
Meeting Security Requirements
The settings in the Account Policies subdirectory in the Security Settings node of a group policy object can be specified only at the domain level. If the security requirements set in the Account Policies subdirectory vary throughout your organization, you will need to define separate domains to handle the different requirements. The Account Policies subdirectory contains the following policies:
Meeting Administrative Requirements
Some organizations may need to establish boundaries to meet special administrative requirements that cannot be accommodated by establishing OUs in one domain. Special requirements might include satisfying specific legal or privacy concerns. For example, an organization may have a privacy requirement that outside administrators not be given control over sensitive product development files. In a one-domain scenario, members of the Domain Admins predefined global group would have complete control over all objects in the domain, including the sensitive files. By establishing a new domain containing the files, the first Domain Admins group is outside of the new domain and no longer has control of the files.
Optimizing Replication Traffic
In organizations with one or more sites, you must consider whether site links can handle the replication traffic associated with a single domain. In a forest with one domain, all objects in the forest are replicated to every domain controller in the forest. If objects are replicated to locations where they are not used, bandwidth is used unnecessarily. By defining multiple small domains and replicating only those objects that are relevant to a location, you can reduce network traffic and optimize replication. However, you must weigh the savings achieved by optimizing replication against the cost of hardware and administration for the additional domains.
To determine whether you should define a domain to optimize replication traffic, you must consider
Retaining Windows NT Domains
Organizations with large Windows NT infrastructures may choose to retain an existing Windows NT domain. Existing Windows NT domains can be upgraded to Windows 2000, sometimes referred to as an in-place upgrade. You must weigh the costs of upgrading the Windows NT domain or consolidating the domain against the savings of maintaining and administering fewer domains. It is recommended that you minimize the number of domains by consolidating Windows NT domains before upgrading to Windows 2000.
For information on upgrading existing Windows NT domains to Windows 2000 or consolidating Windows NT domains, see Lesson 1, "Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory," in Chapter 7, "Creating an Active Directory Services Implementation Plan."
Adding a domain increases administrative and hardware costs. When determining whether to define multiple domains, keep the following cost issues in mind:
To define domains
Figure 4.1 shows the network architecture diagram for Pacific Musical Instruments, a manufacturer of traditional instruments of the countries of the Pacific Rim.
Figure 4.1 Network architecture diagram for Pacific Musical Instruments
Figure 4.2 shows the domains defined for Pacific Musical Instruments. Domains were defined for the following reasons:
Figure 4.2 Domains defined for Pacific Musical Instruments
In this lesson you learned how to define domains for each forest in an organization by assessing an organization's domain needs and determining the number of domains it requires. Two goals should be kept in mind when defining the domains for your organization: to define domains based on the geographical structure of an organization's environment and to minimize the number of domains. It is easier to minimize the number of domains in Windows 2000 because the principles for defining multiple domains in Windows NT no longer apply.
You also learned the reasons for defining multiple domains, which include meeting security requirements, meeting administrative requirements, optimizing replication traffic, and retaining Windows NT domains. The implications of defining multiple domains were discussed, including how adding a domain increases administrative and hardware costs. Finally, you learned to define domains using an organization's network architecture diagram.