Active Directory Design on a Dime

Four forests or one? Four domains or one? The best AD design strives for simple and secure administration.

Bill: I am the sysadmin of a small school district in Tucson. For approximately one year, I have been in the planning/training stages of creating Active Directory in my school district. I'm about to take the plunge, but I'm hung up on one fundamental design choice: whether to create separate forests for my four sites (three schools and a district office) or combine them into a single forest.

I'm leaning towards creating completely separate forests, only because I don't need the constant replication traffic. The domains don't need to share objects with each other. The only intersite/inter-domain sharing concern I have is a soon-to-be WAN intranet Web site. I'll have two intranet sites that users at all four sites must be able to access using FQDNs using Internet browsers. This is possible, yes?

I am a one-man IT show, so there aren't any political concerns in my organization. My only concerns are the intranet Web site, a possible occasional file needing to be shared across the WAN, and simplified system administration. What do you think is easier to manage, four separate forests, or a single forest containing four domains?
—Andre De Leon

Let’s start with the design assumption about needing separate domains. You are the sole IT admin in your organization, yes? I take this to mean that the local schools don’t have their own admins or faculty who think they "know computers" and want to "help" you run the system.

The primary reason to have separate domains would be to erect management boundaries between admins responsible for different sections of the same organization. Creating separate forests makes this barrier even more secure by preventing an administrator in one domain from gaining system privileges on a domain controller and manipulating the contents of another domain.

Because you represent the entire IT organization, you have no need for separate forests or even separate domains. Create a single domain and put the users and groups and computers in each school in their own OU. This avoids complexities in creating groups and setting up group policies and other features that are more difficult to configure in multiple domains.

Using a single domain also avoids DNS complexities. You could host your external DNS resource records on a public-facing DNS server and make your domain controllers into DNS servers to host the internal DNS domain that corresponds to your Active Directory domain. For example, if you have a current public DNS domain of schooldistrict.edu, you could root your AD domain in an internal DNS domain called schooldistrict.pri (for private). Integrate this zone into Active Directory and you have a secure, flexible structure where you can point all your clients for DNS lookups. Configure the DNS service on each domain controller to forward to your ISP DNS server and that takes care of finding Internet name records.

As for the intranet Web site, I highly recommend putting it on a separate server, one that is not a domain controller. This avoids the possibility a Web attacker can get root access on the Web service and, thereby, gaining access to Active Directory. I also recommend using Windows Server 2003 as the Web server to take advantage of its additional security and separate memory space for different Web sites. If your application won't run in a separate memory space, you can configure the web service to run in IIS 5.0 Isolation Mode.

Hope this helps. Good luck with the rollout. And stay cool in Tucson.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.