I am tasked with Restructuring Active Directory within our company domain
which is a crucial step to have a real and effective network setup.
The plan is that all offices should have a DNS forest domain on a city
basis. This schema should be something like this:
Office Location Proposed domain name Current domain name
London london.<company>.local <company>.local
Moscow moscow.<company>.local moscow.<company>.local
Houston houston.<company>.local <company>.local
Caracas caracas.<company>.local <company>.local
Maracaibo maracaibo.<company>.local <company>.local
Is the above just going into DNS management console and doing some
reconfiguring, or will it also require the restructuring of AD aswell?
Ideally we would like to restructure AD aswell, if feasible, as outlined
The idea (good or bad) is to keep our current <company>.local domain as 'top
level' domain and it would be 'clean' ie only have pointers to the subdomains
DNS servers or zones and the proper CNAMES for critical services servers.
contain CNAME records pointing to critical services
Considering the above, what domain model would be ideal? I was thinking of a
Placeholder domain so the placeholder will be <company>.local domain and the
subdomains underneath it london.<company>.local etc which will contain users,
groups and other resources. Also, we have far-flung geographical locations
(as above) with slow link speeds to the main office.
Our current AD structure is a mess - it's just <company>.local with all user
and computer accounts in their repective default containers! Strangely GP's
still get applied to both...how is that so with them being in default
containers?? So there is no OU structure at all. Would it be best practice to
use a Placeholder domain with an organised OU structure relfecting the
functions in the proposed subdomains as listed above? Whats the procedure for
'moving' AD objects, users etc, from the main domain to their new
<office>.<company>.local? Will a migration be invovled or is it a case of
'drag and drop'?
Or would it be just better to re-organise DNS and leave AD alone??
To add complexity, we also have a unix developer environment that has to
co-exist with the Windows domain restructuring. So will DNS zones have to be
non secure updates to allow unix BIND servers?
How will this proposed domain setup work in relation to centralized
administration from one main office, because thats what we really want? We
don't want to delegate any admin tasks to other offices. What about security
policies in subdomains and trust relationships etc? Would each office
location be better off in it's own site given that the links aren't the best
And how would our Exchange servers fit into all of this - will they stay the
same or need restructuring in some way aswell?
Furthermore, Users have hard typed links to machines (not servers) in the
top <company>.local forest. Would this be a problem? What other
problems/questions might there be?
So given all of the above (i know it's a lot of info!), what is the best way
Please can someone give me some good advice, and/or point me to some good
resourses for this kind of thing?
Thanks in advance,
July 23, 2008 8:06 PM
July 25, 2008 11:50 AM