Active Directory Design on a Dime
Four forests or one? Four domains or one? The best AD design strives for simple and secure administration.
- By Bill Boswell
- July 29, 2003
Bill: I am the sysadmin of a small school district
in Tucson. For approximately one year, I have been in the planning/training
stages of creating Active Directory in my school district. I'm about to
take the plunge, but I'm hung up on one fundamental design choice: whether
to create separate forests for my four sites (three schools and a district
office) or combine them into a single forest.
I'm leaning towards creating completely separate forests, only because
I don't need the constant replication traffic. The domains don't need
to share objects with each other. The only intersite/inter-domain sharing
concern I have is a soon-to-be WAN intranet Web site. I'll have two intranet
sites that users at all four sites must be able to access using FQDNs
using Internet browsers. This is possible, yes?
I am a one-man IT show, so there aren't any political concerns in my organization.
My only concerns are the intranet Web site, a possible occasional file
needing to be shared across the WAN, and simplified system administration.
What do you think is easier to manage, four separate forests, or a single
forest containing four domains?
—Andre De Leon
Let’s start with the design assumption about needing separate domains.
You are the sole IT admin in your organization, yes? I take this to mean
that the local schools don’t have their own admins or faculty who
think they "know computers" and want to "help" you
run the system.
The primary reason to have separate domains would be to erect management
boundaries between admins responsible for different sections of the same
organization. Creating separate forests makes this barrier even more secure
by preventing an administrator in one domain from gaining system privileges
on a domain controller and manipulating the contents of another domain.
Because you represent the entire IT organization, you have no need for
separate forests or even separate domains. Create a single domain and
put the users and groups and computers in each school in their own OU.
This avoids complexities in creating groups and setting up group policies
and other features that are more difficult to configure in multiple domains.
Using a single domain also avoids DNS complexities. You could host your
external DNS resource records on a public-facing DNS server and make your
domain controllers into DNS servers to host the internal DNS domain that
corresponds to your Active Directory domain. For example, if you have
a current public DNS domain of schooldistrict.edu, you could root your
AD domain in an internal DNS domain called schooldistrict.pri (for private).
Integrate this zone into Active Directory and you have a secure, flexible
structure where you can point all your clients for DNS lookups. Configure
the DNS service on each domain controller to forward to your ISP DNS server
and that takes care of finding Internet name records.
As for the intranet Web site, I highly recommend putting it on a separate
server, one that is not a domain controller. This avoids the possibility
a Web attacker can get root access on the Web service and, thereby, gaining
access to Active Directory. I also recommend using Windows Server 2003
as the Web server to take advantage of its additional security and separate
memory space for different Web sites. If your application won't run in
a separate memory space, you can configure the web service to run in IIS
5.0 Isolation Mode.
Hope this helps. Good luck with the rollout. And stay cool in Tucson.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.