Best of Questions and Answers for TechNet Webcast: Best Practices for Designing the Active Directory Structure

I've been unlocking the mysteries of Active Directory since before you were born, sonny! Here are the “Best Of” our questions and answers from today’s TechNet Webcast: Best Practices for Designing the Active Directory Structure.

BIG thank you to Matt Hester, who answered the questions in the background during the webcast; and whose work this represents.

Thanks to all who attended!


Questions and Answers:

“What are the tradeoffs for naming your internal domain the same as the external or using a different internal name vs name.local etc.?”

If you keep the same it makes life a little easier but maybe not as secure, take a look at this KB:

“If the GC is the only one that can authenticate the user than what is the use of having additional DC?”

You use the GC’s to help scale and control authentication. However DC’s play many pivotal roles in your organization that support many other functions, take a look at this KB for other articles:

“How is the size of active directory database calculated?”

There are a lot of factors that go into sizing the AD database. Take a look at this article:

“Can you talk a little bit about cost between site links?”

This is a great KB about this (even though it is windows 2000):

“I have a simple system, Windows 2003 server R2 with one forest containing one domain. I have 2 DCs for redundancy, the same boxes also run DNS services, the domain controller that was setup first is running also print server and WSUS. The second DC is running file server. Is this too much for those boxes to handle? or is there some technical reason why I should not be doing this setup? I have not seen any slowdowns so far, the domain has been up for 4 months. Total number of desktops is ~25 and 3 printers.”

No real technical reason in the scenario you describe. It all comes down to workload and how many users; how much work the servers are doing. As long as the servers are still performing well, you should be okay.

“Can a user in one Domain (with an established trust relationship) be a member of the ‘Domain Admins’ group on another domain?”

Yes, as long as the trust relationship is properly established

“How do you make all DC’s Global Catalog servers?”

There is a simple check box in the configuration of the Server’s NTDS Settings under the AD Sites and Services tool. Take a look at this KB:

“How you can enable Universal Group Membership Caching (UGMC)?”

Take a look at this KB

“Is it wise to make all DC a global catalog server? Isn’t that a no no? What are the disadvantages?”

In a single domain forest there is no reason not to; and the benefit of sharing the load between DCs. But in a forest of two-or-more domains, it’s generally not good idea. It will generate too much replication traffic. Generally you want at least 2 per site. This KB is a good place to start:

“Root server has all the roles and if I have additional DC then should any FSMO role be transferred or not? Or is it required to transfer the role?”

Yes FSMO roles can be transferred, take a look at this KB on how

“Given the following, what design would you recommend?
One company with locations across the US and Canada. Locations can either have end users or can be a datacenter site. All sites are managed by a single IT staff running 24×7. The only requirement is to ensure that only certain users/groups can login to servers at the designated datacenter sites.”

I don’t see anything in this description to suggest that separate domains or forests need to be used. One IT Staff, with no specific politics or WAN connectivity issues to require separate domains or forests, and the requirements of restricting access can be fulfilled by other means… so I think you’re fine here with just one Forest containing one domain.

One thought on “Best of Questions and Answers for TechNet Webcast: Best Practices for Designing the Active Directory Structure

  1. Excellent site you have
    I have two questions:
    We have multiple sites in our network some of them are connected with a VPN  having round trip delay of between 200 Millsec to 2000 Milli seconds.
    We have the DNS configured on an Unix Server in round robin format
    The DNS Name resolution for the domain is done fine but it lists all the DC’s in a round Robin Format
    a.x.y.100  — Local site
    b.p.q.200 – remote site
    the second time the DNS query is done
    b.p.q.200 – remote site
    a.x.y.100  — Local site
    This causes massive delays during logons.
    Once the DFS starts to work it is better. But the connection to netlogon takes a lot of time depeinding on if the Local or Remote AD is sent out first.
    Does Microsoft AD basesd DNS’s provide the Values Based on SITE awareness and site costs.
    I was told for back and recovery of the AD it is useful to have a DC located in a special site where the replication is very slow about once a week or manually when we think the AD is consitent.
    How can we ensure that this DC does not take part in daye to day logons.
    Thanks a lot


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s