Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)

Giganews Newsgroups
Subject: Single Domain Vs. Multiple Domain for a Global Enterprise (70 countries)
Posted by:  Domenico Palombo (dpalom…@softhome.net)
Date: 25 Jul 2006

From: "Domenico Palombo" <dpalom…@peacecorps.gov>
Newsgroups: microsoft.public.windows.server.active_directory
Subject: Single Domain Vs. Multiple Domains - Global Enterprise
Date: Tue, 25 Jul 2006 12:47:24 -0700

Hi All,

We have been having this debate for over a year now and was wondering
if I couldn't get some input from any AD experts out there.  I even
brought up this issue on a visit to Microsoft HQ in Redmond, and
recieved mixed responses.

We are an organization spanning the globe in 70 countries.    We
currently operate as one forest in the US, and one forest in each
individual country.  No trusts have been established.  We are planning
on migrating to a global AD, however there has been serious debate
about the domain structure -- should we implement a single
forest-single domain, or a single forest-multiple domain model.

Most of our sites are in developing countries with limited bandwidth.
Sites that do not have 128k lines have VSAT installations (with about
500ms latency).  We have tested VPN tunnels over these lines and
effective bandwidth goes down to about 56k.  The connections in some
countries are flaky, and sometimes we experience outages in locations
for up to a week.

We are estimating about 3,500 users in our directory.  We also have a
support model where a network admin is at each country with full domain
admin rights (of their domain.)  For ease of management and support,
people have supported the single domain model with host country admins
being given rights over their respective OUs.  I still see this is a
major security risk... (I would prefer to have them admins of their own
child domain...yes SID filtering is possible, but the probability of
that happening is a lot lower than someone giving themselves admin
rights in a global domain that they have physical access to DCs).

Maintaining network security standards (and regulatory compliance) is
critical.

I have been an advocate of a multiple domain model simply for the fact
of minimizing replication of global AD data, while also maintaining
security standards.  In some countries, physical security of our
servers cannot be gauranteed.

So, there is our scenario...single global domain over a weak WAN with
weak physical security, or multiple child domains in a single forest.

Any advice would be appreciated!!!

Domenico Palombo
MCSE 2003 Security, CISSP, CCSP

Replies