Home / server / Questions / 23484
Accepted
TechGuyTJ
Asked: 2009-06-11 08:53:11 +0800 CST

Upgrading Active Directory

  • 772

My company operates a SaaS product. My charge is our corporate environment, i.e. users, computers and the Data Center at the Corp office. I am planning to upgrade our current Active Directory structure. I have roughly 65 users where 60 work from our Corp office and the other five from their respective Home Offices. I have five data centers geographically dispersed with their own AD Forest. I would like to pull everything under a single forest. What is best practice here? Should they be their own independent Forest or should they be Domains under a parent forest. Keep in mind all access to the other data centers are accessed from the Corp office.

Also would it be better for me to Upgrade my Current Active Directory environment by promoting up or start from scratch? What are the pros and Cons of both?

windows active-directory

3 Answers

  1. Best Answer

    Typically once you get to AD, you want to promote up, not migrate. That way you don't have to do the computer account migrations, etc. The question of whether or not to be separate forests (or even domains) is more dependent on how you function, than anything else. Some things to think about:

    • Domains are not a security boundary. Forests are. If you require security boundaries that cannot be handled via delegated rights, then you should use multiple forests. Otherwise, one forest will do.
    • Do you need multiple domains? Or can you better served by using OUs and delegating rights at the OU level?
    • If you're worried about authentication traffic over the WAN and things like that, you should already have physical sites set up within AD. This will ensure that folks initially use the closest domain controller.
    • With 5 users geographically dispersed across multiple sites, do you need to deploy a DC to them (how's network connectivity, outages, etc.)? If not, then that gives more reason to pull back to a single forest, single domain configuration. Even if they do have issues with network connectivity, you can still deploy a single DC to the site. If you're going to 2008, this can even be a read only DC.
    • 3

  2. The crux of your question sounds like: Do I want a multi-forest infrastructure or a single forest infrastructure?

    You want multi-forest when you need security boundaries between the organizations. Domains are not security boundaries.

    Answer that question, and then the rest should be easy. You want as few forests as possible to satisfy your security boundary requirements. You want as few domains as possible to satisfy your replication boundary requirements.

    • 2

  3. My understanding is a bit dated, but newer versions of AD handle this case a bit better. I think this is a case where an empty root is a good idea. You have a domain at the top of your forest (say... dir.organisation.org) that is only there for DNS and global catalog. You then create sub-domains (tx.dir.organisation.org, ca.dir.organisation.org, etc) as child domains of the empty root. Then configure Sites for each of the geographically dispersed data-centers. Global catalog data will still have to be replicated across your WAN links, and so will DNS updates to some extent. Whether or not this is reasonable for your environment, you'll have to decide for yourself. But if you have the infrastructure for this, it is what I recommend. This will provide the built in trusts and unified account database that are one of AD's primary advantages.

    As for upgrading, we're a fan of promoting the functional level of the domain, then using dcpromo to demote a DC to a member server, reformatting it with the new OS version, then using dcpromo to make it a DC again. Wash, rinse, repeat for each DC until all are upgraded. Then once you're comfortable that your compatibility problems are solved, raise the functional level to that of the new OS.

    • 1