We are working on a Windows 2000 AD which consists of single forest containing 10 domain. Other then the root the child domains are division specific and are having two-way trusts. The domain servers are connected via Web links. The domains are not managed centrally and require seperate accounts for administration to access each domain. Also the user accounts are not organised within the domain. There are around 7000 to 10000 users spread across locations.
There is a need to re-architect this domain to Windows 2008 where we need to do: consider 1) User consolidation 2) Create seperate domain space for company's clients accounts 3) Automate passwrod reset 4) Provision for client machine logins in even when AD authentication is not available,etc. 5)Availability & Security and 6)Cost
We are looking at options like Single forest , Single Domain , Organise users via OU ( with delegated rights) rather then with Child domains, etc.
Based on yexperience can anyone help to provide some pointers/recommendations as to what could be best possible design options to meet the criterias and also limit cost.