Active Directory Re-Design/Architecture/Migrate

65 pts.
Active Directory
Active Directory Deployment
Active Directory migration
Windows Server 2000

We are working on a Windows 2000  AD which consists of single forest containing 10 domain. Other then the root the child domains are division specific and are having two-way trusts. The domain servers are connected via Web links. The domains are not managed centrally and require seperate accounts for administration to access each domain. Also the user accounts are not organised within the domain. There are around 7000 to 10000 users spread across locations.

There is a need to re-architect this domain to Windows 2008 where we need to do: consider 1) User consolidation 2) Create seperate domain space for company's clients accounts 3) Automate passwrod reset 4) Provision for client machine logins in even when AD authentication is not available,etc. 5)Availability & Security and 6)Cost

We are looking at options like Single forest , Single Domain , Organise users via OU ( with delegated rights) rather then with Child domains, etc.

Based on yexperience can anyone help to provide some pointers/recommendations as to what could be best possible design options to meet the criterias and also limit cost. 




Answer Wiki

Thanks. We'll let you know when a new response is added.

Your questions acnnot really be answered here because you are asking for an AD design to be done for you when there isn’t enough information. I can provide some principles you should work to:
1) Start with a single forest and a single domain
2) Add domains for separation of admininistration or to limit replication eg 5000 users in UK & 5000 users in US. The users never travel between locations so don’t need to replicate data
3) I would probably put client accounts in a separate forest – need to know why they have accounst and what they access to be able to give complete answer
4) Password reset can be self service but not automated. Need third party product e.g. Quest
5) Can use cached credentials to logon to client machines BUT won’t be able to access domain resources such as file servers it not connected to network
6) Availability – use multiple domain controllers per site
7) use OUs for user / computer grouping
8) use GPOs for security settings – don’t apply them across domains

It sounds like you need to engage an AD consultant to help you

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: