Active Directory Design on a Dime

Four forests or one? Four domains or one? The best AD design strives for simple and secure administration.

Bill: I am the sysadmin of a small school district in Tucson. For approximately one year, I have been in the planning/training stages of creating Active Directory in my school district. I'm about to take the plunge, but I'm hung up on one fundamental design choice: whether to create separate forests for my four sites (three schools and a district office) or combine them into a single forest.

I'm leaning towards creating completely separate forests, only because I don't need the constant replication traffic. The domains don't need to share objects with each other. The only intersite/inter-domain sharing concern I have is a soon-to-be WAN intranet Web site. I'll have two intranet sites that users at all four sites must be able to access using FQDNs using Internet browsers. This is possible, yes?

I am a one-man IT show, so there aren't any political concerns in my organization. My only concerns are the intranet Web site, a possible occasional file needing to be shared across the WAN, and simplified system administration. What do you think is easier to manage, four separate forests, or a single forest containing four domains?
—Andre De Leon

Let’s start with the design assumption about needing separate domains. You are the sole IT admin in your organization, yes? I take this to mean that the local schools don’t have their own admins or faculty who think they "know computers" and want to "help" you run the system.

The primary reason to have separate domains would be to erect management boundaries between admins responsible for different sections of the same organization. Creating separate forests makes this barrier even more secure by preventing an administrator in one domain from gaining system privileges on a domain controller and manipulating the contents of another domain.

Because you represent the entire IT organization, you have no need for separate forests or even separate domains. Create a single domain and put the users and groups and computers in each school in their own OU. This avoids complexities in creating groups and setting up group policies and other features that are more difficult to configure in multiple domains.

Using a single domain also avoids DNS complexities. You could host your external DNS resource records on a public-facing DNS server and make your domain controllers into DNS servers to host the internal DNS domain that corresponds to your Active Directory domain. For example, if you have a current public DNS domain of, you could root your AD domain in an internal DNS domain called schooldistrict.pri (for private). Integrate this zone into Active Directory and you have a secure, flexible structure where you can point all your clients for DNS lookups. Configure the DNS service on each domain controller to forward to your ISP DNS server and that takes care of finding Internet name records.

As for the intranet Web site, I highly recommend putting it on a separate server, one that is not a domain controller. This avoids the possibility a Web attacker can get root access on the Web service and, thereby, gaining access to Active Directory. I also recommend using Windows Server 2003 as the Web server to take advantage of its additional security and separate memory space for different Web sites. If your application won't run in a separate memory space, you can configure the web service to run in IIS 5.0 Isolation Mode.

Hope this helps. Good luck with the rollout. And stay cool in Tucson.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.


  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.