Because an Active Directory domain can contain millions of objects, many companies will be able to convert from a multiple domain model to a single domain model, which simplifies management that must take place at the domain level,
such as some security technologies. You can combine domain resources in OUs in an organization that best suits your company's requirements, rather than creating and administering multiple domains.
You can easily move objects between OUs within the domain, nest OUs within each other, and create new OUs as the need arises.
A single domain model is the easiest to administer and the least expensive to maintain. It consists of a forest that contains a single domain. This domain is the forest root domain and it contains all of the user and group accounts in the forest.
- A single domain forest model reduces administrative complexity by providing the following advantages:
- Any domain controller can authenticate any user in the forest.
All domain controllers can be global catalogs; therefore, you do not need to plan for global catalog server placement.
In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. While this model is the easiest to manage, it also creates the most replication traffic of the two domain models.
Partitioning the directory into multiple domains limits the replication of objects to specific geographic regions but results in more administrative overhead.
Just like designing your forest structure, you will also want to consider how many domains to deploy on your network.
The simplest domain design you can deploy is a single domain model
, where you deploy a single forest containing a single domain.
This is the simplest configuration to administer because any domain controller can authenticate any user in the forest, so
that you do not need to plan for Global Catalog placement
. The largest disadvantage of a single domain model is that it creates the largest possible
amount of replication traffic, since all Active Directory objects need to be replicated to domain controllers in any geographic location.
A major consideration in figuring out how many domains you can deploy is the number of users that you will be supporting. A well-connected
network can easily support 100,000 users in a single domain. For domains that include slower links, you will need to scale down that maximum accordingly.
For example, a 28K connection can support a maximum of 40,000 users, though 10,000 would be a more manageable number.
You should also estimate the number of users that you will be adding to Active Directory so that you do not outgrow your initial design too quickly.
Although it is possible to include any number of domains within a single AD forest, I would recommend deploying no more than ten to reduce complexity.
A number of other technical and business factors can influence your decision to deploy a single-domain versus a multiple-domain environment:
- Deploying Active Directory in an international corporation: Differences in languages and business practices might require you to deploy separate
domains. In particular, American and European companies often have different security and privacy regulations that they need to comply with.
- Unique security policies: Since an Active Directory domain can only have one password policy, account lockout policy, and the like, you may need to deploy separate domains to meet differing security requirements for different locations or divisions in your company
- Managing an existing domain structure: If you are migrating to Active Directory from an existing NT 4.0 network, you may need to maintain
multiple networks for backwards connectivity.
Global catalog Server:
Global catalog placement requires planning except if you have a single-domain forest. In a single-domain forest, configure all domain controllers as global catalog servers. In multiple-domain forests, global catalog servers facilitate user logon requests and forest-wide searches.