Windows 2008 Server Domain Forests Question

[vidda]

Hey guys,

We are looking at shifting the domain controller from Samba to Windows 2008 R2 when it comes out. The main reasoning behind this is that although our current Samba DC works a treat, Windows 7 is shaping up to be the next OS for business use. From the minor testing we've found that it doesn't really work with our Samba domain.

Now for the question...

We have multiple sites situated around the UK with a centralised IT office. What we would like is that every site has it's own read only DC. This is obviously possible.

Now, is it possible for every site to have it's own domain under the PDC's forest like so:

site1 = site1.company.com
site2 = site2.company.com

Where the DC for each site is the PDC (the one which owns company.com) and each site has their own read only DC?

Hopefully I've made it clear but I can draw a diagram if anyone is having trouble understanding.

Thanks for the help.

 

[Euphoria]

You can only have one PDC, and you can have read / write or read DCs at each site. You have an option to either deploy DCs at each site either read only or read/write or the other option is to have seperate domains at each site and have all the domains under one forest. So each site can have its own domain

 

[Jordanis3r]

Its probably best to go for a root domain that is empty with two DC's locked down in the main office then depending on how big you are (are you global?) spread a pair of child domain dc's per main office - RO dc's are only really for branch offices with small amount of users ... they are quite limited in their usefulness ...

 

[mr.bond]

In terms of designing your AD, yes you can do what you've suggested.

(there is no 'PDC' server btw as in Windows NT, rather a FSMO role, one per AD forest - googling it will help as there's a bit too much to type here).

Is there any reason why you've not considered a single domain?

 

[vidda]

Is there any reason why you've not considered a single domain?

If people move from site to site (which is regular) for visiting purposes, sales people etc - they only need access to the internet and the files on their local PC. If we have a single domain, wouldn't their files be uploaded to a server on a site which they don't belong too? This is something we don't want as each site can be seen as a seperate company.

Ideally we want the situation of which we can manage the AD (IT Dept) from a central location and have read only domain controllers at each site with password replication and profile storage area. Users can only store their profile to the site they belong too.

Surely DirectAccess (at the moment we use OpenVPN) would become a viable solution in the future, if not right away, and therefore you need a seperate domain per site which is fully qualified that points to their DC? (I'm not clued up on this, it's just an assumption... a lot of the information is very vague especially from the Microsoft website).

If someone could spare some moments and provide some information on how this would be possible that would be great.

 

[Sin_Chase]

If your only issue is the uploading of data onto other regions servers then why not design your domain so that this will not be an issue?

Users1 from Region1 configured as a user on DCRegion1 with Profiles and Data on FPRegion1 wont start storing data on FPRegion2 when visiting Region2, right?

I am assuming you have some kind of WAN connections between your sites and your other regions servers will be accessible from any other so I am not sure what your limitation is?

 

[oddjob62]

Users1 from Region1 configured as a user on DCRegion1 with Profiles and Data on FPRegion1 wont start storing data on FPRegion2 when visiting Region2, right?

Exactly, NTFS can handle file access. No need for separate domains just for different sites. You could possibly want separate domains if you had different admin teams for each site, but even that can be done with rights delegation within a single domain.