Summary

After deciding upon the forest design, the domain design is the next layer of Active Directory that you must define. Again, as in the forest design, the administrative responsibilities define how the domain structure is designed. Several options are available and each one needs to be judged on its ability to provide the appropriate administrative control.

Although domains can take on different designs, you also need to take into consideration the requirements for autonomy and isolation. A single domain may be the easiest to work with, but it may not provide the administrators with the kind of control over their resources that they need. Also, you will need to address issues involving migrating the existing domain, trust relationships, and security.

Windows NT 4 and Windows 2000 pose different challenges when you are upgrading or migrating Active Directory to Windows Server 2003. The domain naming structure has to be determined as well as the upgrade strategy. The first part of this strategy involves determining how the forest root domain will be created and then how the remaining domains will be integrated into the forest/domain. Once the domain design has been determined, you will need to create the trust relationships that are required to facilitate authentication to all of the domains.

Once all of domain design considerations have been worked out, the design team needs to drill down one more layer and take a look at the administrative capabilities of OUs. In the next chapter, we are going to discuss how OUs allow you to control administrative access to objects within domains, and how they are more versatile than the forest or domain structures.