Sites, Forests, Domains, OH MY!

[InTheWayBoy]

Okay, so things are starting to get a little bigger than I expected. Here's the skinny:

Started with just two buildings, linked via a burried CAT5. The units are only 100FT away, so all is well there. Then, we opened an office in a city far away. And just recently, we purchased another unit in the same complex as the first two. Sadly, doesn't look like I'll be able to physically link the two as the cost of fiber (It's well over the spec for CAT5) is too much at the moment.

For Clarity:

1400 - First building

1500 - Second building

2300 - Third building (Newest)

Ormond - Remote office

So 1400 and 1500 are linked via the CAT5, and have their own DC and are net enabled via a T1. 2300 is the newest building in the complex, and currently it is setup with it's own DC and a DSL connection. And Ormond is currently in a workgroup setup, with a T1 for net access.

1400 and 1500 are in the same domain, in it's own forest. 2300 is the same...it's own DC in it's own forest.

I am currently in process of implimenting site-to-site VPN via hardware firewalls, and when it's done I plan on scrapping the whole thing to redesign for just one forest, with all the sites in that forest.

I'm thinking I need to make a new forest, then two sites (Jax and Ormond), but only one domain. I'm just a little confused about all the site/forest stuff, as I've never tried to do anything this large before.

What would be any suggestions on organizing this. I would like to be able to have any user from any location sign on to any computer and get their desktop. I know that if the files are hosted on a different DC that the WAN link won't be so fast, but that's okay for now. I've never touched sites or forests before as it's always been just one server for me.

Thanx in advance!!!

[cluberti]

I'm thinking I need to make a new forest, then two sites (Jax and Ormond), but only one domain. I'm just a little confused about all the site/forest stuff, as I've never tried to do anything this large before.

What would be any suggestions on organizing this. I would like to be able to have any user from any location sign on to any computer and get their desktop. I know that if the files are hosted on a different DC that the WAN link won't be so fast, but that's okay for now. I've never touched sites or forests before as it's always been just one server for me.

Thanx in advance!!!

A couple of things come to mind - if you can afford it, you can really do this nicely. I wouldn't suggest child domains unless you really need the security separation, as simply creating sites and subnets in AD Sites and Services for one domain is much easier to manage long-term. If you really need separate domains, create separate domains for both the 2300 building AND the Ormond building.

1. Create a new domain (for example, mydomain.com), which will be a new domain in a new forest, and migrate your users from your current domain(s) into this one (you'll need a trust to move the users from the old domain(s) into the new, but it's pretty easy once done - the workgroup users will be SOL and will get new accounts ). Remember that if you plan on using ISA 2004 (*wink wink*, strongly suggested in an AD environment) as your firewall of choice to use split DNS - use the same DNS name internally for your AD as you use externally. For example, if you own the "mydomain.com" domain name, your AD domain will be named "mydomain.com" - with the caveat that your internal DNS will be private, non-routable addresses.

2. Decommission all of your other domain controllers and (in essence) you'll "kill" your other domains.

3. For clarity's sake, you would be wise to rebuild these servers once demoted to make sure you don't bring any "old domain" data into your new domain when you dcpromo these boxes. Once you've rebuilt the boxes and established site-to-site VPN links between the remote sites and the home office site, you will be able to continue to step 4.

4. Rejoin your DC's at your home office into the domain via dcpromo. Install DHCP, DNS, and WINS on one DC.

5. Join your DC(s) in the 2300 building into the domain via dcpromo.

6. Join your DC(s) from the Ormond location into the domain.

7. Create the proper sites and subnets in Active Directory Sites and Services on a DC in the home office, and move the proper DC objects into their respective sites. Allow a good few hours for this to be up and fully functional (monitor AD replication via replmon to make sure there are no errors).

8. Create DHCP servers for each site on one of the DC's, matching each DHCP server's scope with the proper IP range for the site. Configure DHCP in each site to give out the DNS and WINS server information from the parent domain, if possible. This makes browsing more controlled and uniform, especially netbios browsing in Network Neighborhood via WINS.

Steps 9 and 10 will reduce the load on your links during file and login access, but only follow these if you can get a file server at each site:

9. Create a domain DFS root, and place your file servers in each location into the DFS root.

10. Configure each file server at remote sites to be replicas of the file server at the home office - this will make sure that the data on one file server is present on the others, and DFS will know which server to direct a client to based on it's IP address, subnet, and which site that subnet belongs to. Note that this works much quicker in a Win2K3 AD than a Win2K AD, because Win2K DCs use the DFS object stored in AD to determine the closest replica, and Win2K3 DC's use the site structure in AD (what you see in AD Sites and Services) to determine the closest replica, which is much more reliable and efficient.

Again, if you can swing it, steps 9 and 10 make sure that (with few exceptions) all users get similar performance to files, folders, profiles, and logins no matter what site they are located at. You can also use roaming profiles at this point when the profiles are stored in a DFS share, which can make sure that the user's environment also feels the same no matter what site they are logged into as well.

Ping me via PM or email on split DNS and site configuration if you have any questions regarding these issues, and I'll be glad to respond.

Edit: I can't spell. It's a disease .

Edited December 22, 2005 by cluberti

[Aegis]

And I thought the quote went Sites and Forests and Domains, Oh my. Just a thought .

[InTheWayBoy]

Good call on the title syntax

And cluberti, I just might take you up on your PM offer. All the info you provided is very helpful, and definantly helps me with most of my issues. I'm winding down for the holiday, so it wouldn't be till afterwards when all this gets started, but I need to R & D so more. Thanx again!

One question on the DFS suggestion. I had another forum member suggest the same thing, and I like the idea. But my only question is how the replication works. Is it configurable to the point that I can set bandwidth and time settings for replicating across the WAN? For instance, if I wasn't too worried about having the data replicated immediately can I configure it to only replicate after office hours?

[tioaboa]

Hi,

I'm implementing DFS at work, and one thing to bear in mind is replication iss great for static data, but not for dynamic data(even ms don't recommend this)

For some good reading on the topic check out this http://www.microsoft.com/windowsserversyst...chitecture.mspx

Regards

Ian

[cluberti]

Actually, if you go with Windows 2003 R2 as the server OS, DFS is much better at dynamic data due to the improved replication schema and compression algorithms (it now only replicates changed data in a file, rather than whole files as it has with Windows 2003 SP1 (non-R2) and older versions of Windows).

Edited December 28, 2005 by cluberti

[InTheWayBoy]

Awesome, I was kinda looking forward to using R2, even if only for it's improved print management. But looks like I'll have even more to play with! Thanx for all the info, the project is in progress, but on hold at the moment until all the gear arrives. I will update this as I know more.

[cluberti]

New toys are cool - good luck. Remember you can email or PM me if you need any help.