A few colleges asked me the following question: “Is a Multiple Active Directory Domains In a Single Forest Is Required Today?”.
Due the fact that is no official answer exits, I would try to provide a few guidelines that would help you to obtain the correct answer to your enterprise.
The main (please note: main) benefits to use Multiple Active Directory Domains In a Single Forest Is Required Today from my perspective are:
A.The domain Scalability / Limitation doesn’t answer for you enterprise needs:
Maximum Number of Objects
Maximum Number of Security Identifiers
Maximum Number of entries in Discretionary and Security Access Control Lists
Group Memberships for Security Principals
FQDN Length Limitations
File Name and Path Length Limitations
Additional Name Length Limitations
Maximum Number of GPOs Applied
Maximum Number of Accounts per LDAP Transaction
Recommended Maximum Number of Users in a Group
Recommended Maximum Number of Domains in a Forest
Recommended Maximum Number of Domain Controllers in a Domain
Recommended Maximum Kerberos Settings
For further information, please review: Active Directory Maximum Limits – Scalability
Note: For most the Enterprises today, Windows 2012 domain would answer to all the Enterprise requirement. Due this, don’t go a head
and setup a new Root / Sub domain without understanding the Windows 2012 domain capabilities.
B. Your Enterprise security policy prohibit to store other domain users passwords in the domain controller.
However, you can overcome this issue by using a RODC (Read Only Domain Controller) etc.
Please note that even if you install a new Root / Sub domain, the following partitions would be shared:
3. Optional – DNS.
Note 1: The Global Catalog server/s of the new Root / Sub domain would own details of the other domain objects (but with less
Note 2: You may need to use GPO to block other domain users from logging to the new Root / Sub domain.
C. Your Enterprise security policy prohibit setup a direct “Domain Trust” from one domain to another. Due this, a unique domain (with a new PDC Emulator) would be need to be setup to answer your Enterprise security policy requirements.
D. DRP (Disaster Recovery Plan) recovery time. Due the Active Directory recovery methodology, it may be more useful to recover from a single domain crash without impacting the other domain/s. However, a crash of the domain the own the Root Forest / Forest FSMO may limited your recovery capabilities / operation capabilities. Moreover, Advanced recovery mechanisms (e.g. Active Directory Recycle Bin etc.) would provide a good workaround & save you the time & efforts to handle additional Sub / Root domain.
A. Please note that a common mistake is to setup a new Root / Sub domain for Exchange Address Book / GAL separation/hiding.
Exchange 2010 / 2013 build in Address Book Policies mechanism answer to this requirement without a requirement to setup a new Root / Sub domain.
B. Please note that a common mistake is to setup a new Root / Sub domain due Active Directory delegation / multiple Password policies requirements. Active Directory delegation mechanism would provide a good answer to all your Enterprise requirement/s (I didn’t see until now scenario that didn’t supported by this mechanisms).
C. Please note that a common mistake is to setup a new Root / Sub domain due the security requirement to block the ability of users from one domain to obtain information of the other Active Directory domain objects.