Is a Multiple Active Directory Domains In a Single Forest Is Required Today?

February 26, 2013

A few colleges asked me the following question: “Is a Multiple Active Directory Domains In a Single Forest Is Required Today?”.

Due the fact that is no official answer exits, I would try to provide a few guidelines that would help you to obtain the correct answer to your enterprise.

The main (please note: main) benefits to use Multiple Active Directory Domains In a Single Forest Is Required Today from my perspective are:

A.The domain Scalability / Limitation doesn’t answer for you enterprise needs:

Maximum Number of Objects

Maximum Number of Security Identifiers

Maximum Number of entries in Discretionary and Security Access Control Lists

Group Memberships for Security Principals

FQDN Length Limitations

File Name and Path Length Limitations

Additional Name Length Limitations

Maximum Number of GPOs Applied

Trust Limitations

Maximum Number of Accounts per LDAP Transaction

Recommended Maximum Number of Users in a Group

Recommended Maximum Number of Domains in a Forest

Recommended Maximum Number of Domain Controllers in a Domain

Recommended Maximum Kerberos Settings

For further information, please review: Active Directory Maximum Limits – Scalability

Note: For most the Enterprises today, Windows 2012 domain would answer to all the Enterprise requirement. Due this, don’t go a head

and setup a new Root / Sub domain without understanding the Windows 2012 domain capabilities.

B. Your Enterprise security policy prohibit to store other domain users passwords in the domain controller.

However, you can overcome this issue by using a RODC (Read Only Domain Controller) etc.

Please note that even if you install a new Root / Sub domain, the following partitions would be shared:

1. Configurations.

2. Schema.

3. Optional – DNS.

Note 1: The Global Catalog server/s of the new Root / Sub domain would own details of the other domain objects (but with less

attributes).

Note 2: You may need to use GPO to block other domain users from logging to the new Root / Sub domain.

C. Your Enterprise security policy prohibit setup a direct “Domain Trust” from one domain to another. Due this, a unique domain (with a new PDC Emulator) would be need to be setup to answer your Enterprise security policy requirements.

D. DRP (Disaster Recovery Plan) recovery time. Due the Active Directory recovery methodology, it may be more useful to recover from a single domain crash without impacting the other domain/s. However, a crash of the domain the own the Root Forest / Forest FSMO may limited your recovery capabilities / operation capabilities. Moreover, Advanced recovery mechanisms (e.g. Active Directory Recycle Bin etc.) would provide a good workaround & save you the time & efforts to handle additional Sub / Root domain.

Common Mistakes

A. Please note that a common mistake is to setup a new Root / Sub domain for Exchange Address Book / GAL separation/hiding.

Exchange 2010 / 2013 build in Address Book Policies mechanism answer to this requirement without a requirement to setup a new Root / Sub domain.

B. Please note that a common mistake is to setup a new Root / Sub domain due Active Directory delegation / multiple Password policies requirements. Active Directory delegation mechanism would provide a good answer to all your Enterprise requirement/s (I didn’t see until now scenario that didn’t supported by this mechanisms).

C. Please note that a common mistake is to setup a new Root / Sub domain due the security requirement to block the ability of users from one domain to obtain information of the other Active Directory domain objects.

Add comment
facebook linkedin twitter email

Leave a Reply

11 comments

  1. tietrinnyApril 20, 2013 ב 19:37

    I discovered your weblog web site on google and check a few of your early posts. Continue to maintain up the pretty great operate. I just additional up your RSS feed to my MSN News Reader. Searching for forward to reading much more from you later on!

    christian louboutin

  2. iodidagakApril 22, 2013 ב 05:28

    It is challenging to obtain knowledgeable individuals on this topic, but you sound like you know what you are talking about! Thanks

    michael kors bags sale online

  3. tietrinnyApril 22, 2013 ב 17:03

    Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will probably be coming back to your blog for extra soon.

    red bottom shoes

  4. iodidagakApril 22, 2013 ב 19:54

    Terrific Post.thanks for share..extra wait ..

    michael kors hand bags

  5. GraliaExhauraMay 4, 2013 ב 07:18

    There are actually undoubtedly numerous details like that to take into consideration. Which is an incredible point to bring up. I give the thoughts above as general inspiration but clearly there are questions like the 1 you bring up exactly where essentially the most important factor will probably be working in honest very good faith. I don?t know if most desirable practices have emerged about issues like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.

    michael kors outlet stores

  6. GraliaExhauraMay 9, 2013 ב 06:04

    I discovered your weblog website on google and check a couple of of your early posts. Continue to keep up the highly decent operate. I just additional up your RSS feed to my MSN News Reader. Seeking forward to reading far more from you later on!

    michael kors outlet coupons

  7. tietrinnyMay 9, 2013 ב 14:16

    One can find some intriguing points in time in this article but I don’t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Superb post , thanks and we want additional! Added to FeedBurner too

    basketball shoes cheap online

  8. GraliaExhauraMay 9, 2013 ב 14:44

    It is challenging to get knowledgeable many people on this subject, but you sound like you know what you’re talking about! Thanks

    michael kors hamilton satchel

  9. tietrinnyMay 15, 2013 ב 18:56

    I’d need to check with you here. Which isn’t some thing I normally do! I get pleasure from reading a post that will make people today think. Also, thanks for permitting me to comment!

    cheap michael kors

  10. GraliaExhauraMay 15, 2013 ב 19:32

    This web internet site is honestly a walk-through for all the info you wanted about this and didn’t know who to ask. Glimpse here, and you’ll definitely discover it.

    michael kors hamilton tote