Full of I.T.

Kevin Remde's IT Pro WebLog

Best of Questions and Answers for TechNet Webcast: Best Practices for Designing the Active Directory Structure

I've been unlocking the mysteries of Active Directory since before you were born, sonny! Here are the “Best Of” our questions and answers from today’s TechNet Webcast: Best Practices for Designing the Active Directory Structure.

BIG thank you to Matt Hester, who answered the questions in the background during the webcast; and whose work this represents.

Thanks to all who attended!


Questions and Answers:

“What are the tradeoffs for naming your internal domain the same as the external or using a different internal name name.com vs name.local etc.?”

If you keep the same it makes life a little easier but maybe not as secure, take a look at this KB: http://technet2.microsoft.com/WindowsServer/en/library/0487c48b-c901-42fc-8507-a88e651a9d281033.mspx?mfr=true

“If the GC is the only one that can authenticate the user than what is the use of having additional DC?”

You use the GC’s to help scale and control authentication. However DC’s play many pivotal roles in your organization that support many other functions, take a look at this KB for other articles: http://support.microsoft.com/kb/223346

“How is the size of active directory database calculated?”

There are a lot of factors that go into sizing the AD database. Take a look at this article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbg_dat_yxcl.mspx?mfr=true

“Can you talk a little bit about cost between site links?”

This is a great KB about this (even though it is windows 2000): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd06.mspx

“I have a simple system, Windows 2003 server R2 with one forest containing one domain. I have 2 DCs for redundancy, the same boxes also run DNS services, the domain controller that was setup first is running also print server and WSUS. The second DC is running file server. Is this too much for those boxes to handle? or is there some technical reason why I should not be doing this setup? I have not seen any slowdowns so far, the domain has been up for 4 months. Total number of desktops is ~25 and 3 printers.”

No real technical reason in the scenario you describe. It all comes down to workload and how many users; how much work the servers are doing. As long as the servers are still performing well, you should be okay.

“Can a user in one Domain (with an established trust relationship) be a member of the ‘Domain Admins’ group on another domain?”

Yes, as long as the trust relationship is properly established

“How do you make all DC’s Global Catalog servers?”

There is a simple check box in the configuration of the Server’s NTDS Settings under the AD Sites and Services tool. Take a look at this KB: http://support.microsoft.com/kb/313994

“How you can enable Universal Group Membership Caching (UGMC)?”

Take a look at this KB http://technet2.microsoft.com/WindowsServer/en/library/08f11546-a6ed-4045-9d60-20a5fc1db11b1033.mspx?mfr=true

“Is it wise to make all DC a global catalog server? Isn’t that a no no? What are the disadvantages?”

In a single domain forest there is no reason not to; and the benefit of sharing the load between DCs. But in a forest of two-or-more domains, it’s generally not good idea. It will generate too much replication traffic. Generally you want at least 2 per site. This KB is a good place to start:

“Root server has all the roles and if I have additional DC then should any FSMO role be transferred or not? Or is it required to transfer the role?”

Yes FSMO roles can be transferred, take a look at this KB on how http://support.microsoft.com/kb/324801

“Given the following, what design would you recommend?
One company with locations across the US and Canada. Locations can either have end users or can be a datacenter site. All sites are managed by a single IT staff running 24×7. The only requirement is to ensure that only certain users/groups can login to servers at the designated datacenter sites.”

I don’t see anything in this description to suggest that separate domains or forests need to be used. One IT Staff, with no specific politics or WAN connectivity issues to require separate domains or forests, and the requirements of restricting access can be fulfilled by other means… so I think you’re fine here with just one Forest containing one domain.