Active Directory Design on a Dime

Four forests or one? Four domains or one? The best AD design strives for simple and secure administration.

Bill: I am the sysadmin of a small school district in Tucson. For approximately one year, I have been in the planning/training stages of creating Active Directory in my school district. I'm about to take the plunge, but I'm hung up on one fundamental design choice: whether to create separate forests for my four sites (three schools and a district office) or combine them into a single forest.

I'm leaning towards creating completely separate forests, only because I don't need the constant replication traffic. The domains don't need to share objects with each other. The only intersite/inter-domain sharing concern I have is a soon-to-be WAN intranet Web site. I'll have two intranet sites that users at all four sites must be able to access using FQDNs using Internet browsers. This is possible, yes?

I am a one-man IT show, so there aren't any political concerns in my organization. My only concerns are the intranet Web site, a possible occasional file needing to be shared across the WAN, and simplified system administration. What do you think is easier to manage, four separate forests, or a single forest containing four domains?
—Andre De Leon

Let’s start with the design assumption about needing separate domains. You are the sole IT admin in your organization, yes? I take this to mean that the local schools don’t have their own admins or faculty who think they "know computers" and want to "help" you run the system.

The primary reason to have separate domains would be to erect management boundaries between admins responsible for different sections of the same organization. Creating separate forests makes this barrier even more secure by preventing an administrator in one domain from gaining system privileges on a domain controller and manipulating the contents of another domain.

Because you represent the entire IT organization, you have no need for separate forests or even separate domains. Create a single domain and put the users and groups and computers in each school in their own OU. This avoids complexities in creating groups and setting up group policies and other features that are more difficult to configure in multiple domains.

Using a single domain also avoids DNS complexities. You could host your external DNS resource records on a public-facing DNS server and make your domain controllers into DNS servers to host the internal DNS domain that corresponds to your Active Directory domain. For example, if you have a current public DNS domain of, you could root your AD domain in an internal DNS domain called schooldistrict.pri (for private). Integrate this zone into Active Directory and you have a secure, flexible structure where you can point all your clients for DNS lookups. Configure the DNS service on each domain controller to forward to your ISP DNS server and that takes care of finding Internet name records.

As for the intranet Web site, I highly recommend putting it on a separate server, one that is not a domain controller. This avoids the possibility a Web attacker can get root access on the Web service and, thereby, gaining access to Active Directory. I also recommend using Windows Server 2003 as the Web server to take advantage of its additional security and separate memory space for different Web sites. If your application won't run in a separate memory space, you can configure the web service to run in IIS 5.0 Isolation Mode.

Hope this helps. Good luck with the rollout. And stay cool in Tucson.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Mon, Jul 17, 2006 Srijana Darjeeling

Everybody would love to make lots of money quickly, working from home, and only doing a few hours of work per week. I've spent the past two years trying to find a great way of doing this. Only over the course of the past few months have I found any "get rich quick" programs worth buying. I've been trying to make money online for a long time. I had a few small websites, but they never made much more than a few hundred per month. It was easy money and didn't require much work on my part, but I knew there were people out there doing better than I was and I knew I could do as well as them.

Now, I've seen a lot of "get rich quick" programs. Most of these people make claims about earning $2000/day with Google or something similarly insane. Almost all of these people are complete liars. Even if they were making $2000/day with Google AdSense, it'd be because they had high- traffic websites with a lot of quality content. I'd know, because in one whole month, I never even made half of what they promised I'd make daily with their programs. Maybe you've already been scammed by one of these fraudsters. Anyway, I finally got sick of what was being offered.

I decided I'd look through the all of the "get rich quick" programs I could find and see if there were any that were actually legitimate. I found that there were owners selling their programs for well over $100, but the information in them could be found almost anywhere online for free. Additionally, they all contained out-of-date information, had no e-mail support, no money back guarantees, and broken links in the downloads section.

In conclusion, almost all of the programs I found were completely useless. The owners knew it, but they couldn't care less about their customers since they didn't offer refund policies! Amazingly, while looking through all of the programs, I actually did find a few legitimate programs. They were run by ordinary people like you and me, and they had found some great methods of making money from their home by doing very little work.

I spent some time working with those programs, and my income is now ten times what it used to be. These programs provided a large amount of great information on how to make extra money on your computer doing very little work. Numerous customers had provided great feedback and reviews for their products. Many of them have started to make money just days after buying!

Their programs have excellent prices, and the authors have a group of paid staff who are dedicating to helping you or providing assistance if you need any. I must say I was amazed! If you do decide to purchase any of the programs listed below, I recommend you join quickly. Most of the owners tell me they are getting an overwhelming number of sales and plan on raising prices in the near future, so order while prices are still low!

To Your Online Success,

Sat, Oct 25, 2003 Jesse Tucson

I also am a sys admin in Tucson AZ. One of our clients is a school district with 3 seperate sites joined by a Point to point T1s and one T1 isp uplink from the administrative site. We originally set up the forest with four seperate domains under the same forest. This causes all sorts of headaches when you have admins/teachers/computer admins that all travel to the different sites and have different logins and different emails that they have to check at each. I wish that we had originally done four separate sites in the same contiguous namespace of the same domain. This would have saved us alot of heartache in the long run.

Fri, Sep 19, 2003 Dan Grand Rapids MI

Normally, I would agree with one Forest. For a school, you may want to go as far as two forests, one for students, one for non-student. That way, should an enterprising student crack the admin password (and there will be at least one who will), your data is still safer on the non-student side. Also, make sure you use complex passwords on all admin accounts.

Fri, Sep 5, 2003 Anonymous Anonymous

nagy szar :P

Sun, Aug 31, 2003 Kelvin New York, NY

Excellent advice on the one forest
AD design.

Tue, Aug 26, 2003 Anonymous Anonymous

Very good.

Thu, Jul 31, 2003 Jeremy, MCSA St. Louis, MO

I agree with using the single forest, single domain. Great idea! Especially for a one man IT show.

Wed, Jul 30, 2003 andy Manchester

Agree with Tony, the confusion here might have been about sites, can have four sites each with at least one DC and Global Catalog, then schedule replication

Wed, Jul 30, 2003 Tony Austin, TX

He is worried about Active Directory Replication. Make Global Catalog available at each site and unless there is a need for real time Replication modify the site links to replicate in the evening.

Tue, Jul 29, 2003 Brian Milwaukee, WI

One Forest, two domains (student/non-student). One OU per school for each. For the non-students, separate OUs for staff, teachers, and administration. For Students, separate OUs for each grad year (no moving students each year and helps eliminate name collisions for email addresses).

Email me if you have more questions...

Create scripts for bulk user add and delete that read exports from your student records software.

Tue, Jul 29, 2003 Shaun Anonymous

Why not use a subdomain of thier registerd domain name like instead of maintaining two separate DNS name spaces? Keep administrative overhead down. Still keep seperate DNS servers (private and public / ISP) and use forwarding to make use of the external name server for forward lookups?

Tue, Jul 29, 2003 Anonymous Anonymous

Hit the nail on the head! Well done!

Tue, Jul 29, 2003 KLash MI

Excellent advice.

Tue, Jul 29, 2003 Ryan CT

I agree 100% with where Bill was going with this - my first thoughts were along the same lines.

One additional thing I'd add to Bill's comments, though, that might help to resolve the replication concerns:

Pay close attention to your site topology definitions. As long as you do a good job defining your sites and site links, you can get really granular in your control of what's replicating, when, and how often. Much simpler to address replication this way than with multiple forests.

Tue, Jul 29, 2003 Billy Rippetoe Redding,Ca

This is a very good artical! It illistrates the main idea about Active Directory keep it simple.

Tue, Jul 29, 2003 Ed Georgia

Andre, you missed the first premise of Forest Design - One Forest, One Domain - Any additional better have really great reasons.

Four Forests? What a real pain in the butt! That's 8 servers that should be dedicated to network functions of authorization and name services. That's four DNS domains.
Then there's how you administer from your workstation. - REAL Pain to get credentials for all forest.

One forest, one domain, four top level OUs. That's your optimal design.

How would you scale if your district grew and added 20 more schools?

And what about messaging? If you want Exchange and you want one domain for everyone, then you've got to have the single forest. (unless you want a REALLY convoluted configuration).

Simplify, Simplify, Simplify

You mention replication but you don't mention network speeds. Replication data is usually REALLY small for most organizations. Assuming 5,000 users, a FULL replicationis only a few MB.

Tue, Jul 29, 2003 Anonymous Anonymous

The one thing that did not get mentioned was Exchange. If you have Exchange 5.5 and intend on going to Exchange 2000 you MUST consider how independent forests will effect Exchange and more importantly the global address list.

Tue, Jul 29, 2003 Jeff OKC

I agree totally. If I had time Id come help you.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.