3 "sites" 2 static, 1 roaming. Locking down in AD, best way?

D

dustin

Weaksauce
Joined
Jul 7, 2004
Messages
99
This is a brand new company, we are young and growing fast. I just came aboard and we are rebuilding the network. Currently we have one domain, not very well enforced with little restriction on anything ( this drives me crazy ). The remote office and laptops have pretty much free reign on everything, use workgroups, choose if they want to log into the domain, etc. We'd like to change this and I'd like to make use of Active Directory as its mainly a Windows based network. What would you recomend as a base layout of the Forest and Domain structure?

We have three sites, the main office [mainoffice.local] <- point to point -> the sattelite office [workgroups & domain clients], and a large group of laptops floating around the country using Aircards.

Should I create 2 domains in main forest, 1 for mainoffice and satellite office with limited trusts. Then in a seperate forest create a third domain for the roaming employees? I don't understand AD well enough to implement this on such a large scale so any suggestions or ideas on how to set this up would be appreciated.

Also any links you've found to be helpful in designing large scale Ad implementations would be an added rad. :)
 
Well i think the best rule of thumb is to keep to a single domain unless absolutly neccessary. Because you can use sites and services to control AD replication. This is assuming you will have atleast 1 server at each site. there is a lot of information and thought that needs to go into the planning no or you'll end up in the same mess you have now. read and goole a lot. I think you have been assign this taks unfairly because it seems like you lack the exp to do this effiecently.
 
Yea I've been googlin my brain out. I've managed decent sized networks using AD just never designed one this large.
 
Also you might want to look at using Citrix(or terminal services if you have a tight budget). that way the remote users can loginto the server and get their standard desktop from anywhere they have internet access. you could have the whole remote site use a citirx server at the main office. Need a lot more information about the business requirements.
 
Have Citrix, know nothing about it but that its like Terminal Services application server. Maybe I should be looking into Citrix as a more viable alternative for the remote users.
 
dustin said:
Have Citrix, know nothing about it but that its like Terminal Services application server. Maybe I should be looking into Citrix as a more viable alternative for the remote users.
Click to expand...

Citrix works extremly well if the users don't need high power apps like autocad. If they just need office and other low load apps it will save you a lot of work. and the users will always be able to access their e-mail and documents. Citrix is a bit pricy but if you already have the licenses i'd use them. Also you can look at using thin client devices like Wyse winterms if you have users that don't need a real pc (like a cd burner) they are cheaper than pc and tehy would work 100% in citrix. The upside to that is there isn't much they can screw up on them. The devices are low maintanece. there are too many advantages to citrix that i can't list them all. the biggest downside is cost but you buy connection liscense which controlls how many peole can be connect at once so you technically can have more users than licenses and make it work just fine. I've had a remote office with 35 users work 100% on a citrix server at the main office over a P2P T1.
 
Very insightful, thank you. The only problem is without using Dumb Terminals to connect to Citrix I'm still stuck with oodles of remote machines that need to be secured. Yea, I volunteered for this :eek:
 
dustin said:
... designing large scale Ad implementations ....
Click to expand...
Just how large is large?

oakfan52 said:
Well i think the best rule of thumb is to keep to a single domain unless absolutly neccessary.
Click to expand...
Agree ... going beyond a single domain typcially just introduces unnecessary complexity ... as oakfan52 indicated, in most cases you can create an OU Structure and GPOs that will address your requirements. Going with a single domain will allow you to simply drag and droup objects from one container to another as the company grows and reorgs.

dustin said:
I'm still stuck with oodles of remote machines that need to be secured...
Click to expand...
Don't forget that you not only need to secure their access ... but, you need physically secure them as well.
 
You must log in or register to reply here.
Back
Top