Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Forest and trees in AD

Status
Not open for further replies.
1666

1666

Technical User
Dec 12, 2002
131
GB
Hi, question from my boss (I don't has a clue) what are the benefits between a single forest structure with a single tree and child domains which are our offices overseas and a multiple forest structure with with each forest have a trust between each other.

Also does anyone know of any good AD diagrams (for the above questions)?

Kind regards

Andy
 
Sort by date Sort by votes
In my opinion (and many people will have diffent opinions about this), it has to do with administration of your network.

If you are a single company, with central administration. I would think that maybe ONE FOREST with ONE or TWO DOMAINS would be a good configuration.

If your company has sub companies that are run in a distributed manner, I would think that either a multi-forest configuration or a multi-tree configuration is appropriate.

Maybe give some detail about your network and we can help try to figure out the pros and cons for you?

There are many things to consider in the design....too many to list.

-hope this helps..

Joseph L. Poandl
MCSE 2000

If your company is in need of experts to examine technical problems/solutions, please check out
 
Upvote 0 Downvote
Hi, well we are a NT4.0 single only based domain and are to move to AD (2003) eventually. We have 5 other countries who are in the same position that have always run there own domain and have never had a trust between any domains. We need to know the pro and cons if we were to have a single forest with one tree and a multiple child domains or everyone build their own forest and create trusts when needed?

Andy
 
Upvote 0 Downvote
Read:

and:
They are good starting points.

I would basically say go single forest unless the separate offices in your organisation have the authority and desire to run autonomously.

Domain breakdown is a little more complex as it involves taking WAN connections into consideration as well as the administration side.

But basically you need to read up on it in depth - get it wrong and you'll have a nightmare for years to come...
 
Upvote 0 Downvote
1666,

NickFerrar is right. You should probably spend a lot of time planning this out.

MS reccomends that you keep your domain structure as simple as possible. In fact, in most cases, MS says to reduce the number of domains if possible. I have been working on many domain migrations and, in general, I always consolidate domains.

I would guess that you should have a SINGLE FOREST. Maybe somethng like this:

CompanyX.com ---> USCompany.com --> NewYork.USCompany.com
|
|
UKCompany.com --> London.UKCompany.com


In this example, you have Company.com domain being the top of the forest. MS has a strategy of creating a empty Root domain at the top of the enteprise. Don't create any users here, this domain is meant to protect all of your lower domains. Only the company head IT department will have the domain passwords for this domain.

This top domain will allow other subcompanies to join your network without the risk of them joining your domain directly. Also, when a subcompany joins the forest, you can later change the password so that they don't have access to the Root domain any longer. This top domain also allows for some flexibility later if needed.

The lower trees (UKCompanyx.com and USCompanyX.com) is where you would put most user accounts and resources. For example, USCompanyX.com might be your current domain. Maybe you can perform an inplace upgrade of your domain to Windows 2000.

-Just some quick thoughts... Hope this helps.




Joseph L. Poandl
MCSE 2000

If your company is in need of experts to examine technical problems/solutions, please check out
 
Upvote 0 Downvote
The design of your AD should be the result of customer needs.
Were design AD/trees can influence?
1. name structure
- if you have more trees in your forest, you will have an independent name for all of your trees:
"gia.com" and "romania.com" can be trees in the same forest!
- if you have one tree, you wil have a contigous name space

So, this is the major difference.
If you want to have different forests, then, there are many issues involved.

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new: (just started)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
962
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
438
DrB0b
DrB0b
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
731
Aquiles Vidal
Aquiles Vidal
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
613
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top