S
S
serlis872014-09-22 15:10:57
Active Directory
serlis87, 2014-09-22 15:10:57

Which Active directory domain structure to use?

Hello. The situation is as follows. Company, 5 offices, territorial division is relative. The main office has 214 computers, the remaining 4 can be described as follows:
34 computers,
12 computers,
17 computers,
11 computers, but it is planned to expand the staff.
At the moment, each office has a DC, but the forests are different, the domains are not connected. The network settings are disgusting. The main office has a network 192.168.1.0/22, in other offices 192.168.1.0/24.
Task. Merge all offices into one forest. Get centralized access to domain resources.
Available: MikroTik RouterOs level 4 will be used as gateways, DCs are built on (Active Directory), Windows Server 2012 R2.
Note. I am going to connect branches (DC) by means of IpSec+Radius(NPS). I can not determine for myself what to do with the structure of the domain itself. Tell me please. Interested in something classic and fault-tolerant (albeit more time-consuming). And the most important. How to migrate existing data. Thanks in advance.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
C
Cool Admin, 2014-10-03
@ifaustrue

In my practice, I use the following principles:
About AD and services
1. There are two domain controllers in the head office with low latency replication.
2. In fully connected offices with broad channels through a full-fledged domain controller
3. In remote offices, with low-speed links over one RoDC
4. Those offices that do not have a server at their disposal either remain without a domain, or somehow work (live in a separate OU with sparing parameters for the life of sessions and DNS).
5. Each office is always in its own network segment. Each segment is a separate site in AD
6. DHCP+DNS screw, if it does not cause conflicts and can be used. WINS is more useful than not. Create reverse DNS zones, they speed up.
7. Miscellaneous equipment \ VoIP \ WiFi \ Printers \ Projectors \ Switches - if possible, in separate segments
Now more about networks
Determine in advance at least addressing outlines. Try not to use common home ranges, but stick to the recommended addresses (10/8, 172.16/12, 192.168/16)
The principles are
1. One fault-tolerant routing core per site. Try to close all traffic to one point. Reserve this point (in your case, VRRP plus an article on Habré )
2. Where possible, links go to LACP \ double \ second route \ two GRE tunnels
3. Less bridges - more routing. Transit networks only, if possible, no l2 hops.
4. If possible, equipment of the same class \ type \ purpose \ access level in one segment.
5. WiFi and VoIP are always in a separate segment.
Now some specifics for you.
Start with addressing, because if you don’t improve the traffic flow, the connectivity of the sites will be lost again and you will be raking with it until the end of your days.
Set up routing (fortunately, iron allows), and then go to AD (if the latter, of course, is off).
For office connectivity, use IPSec in transport, not tunnel mode (then you will thank me more than once).
You already have a decent number of offices, you can try to raise RIP or OSPF (in your case, I am for the first option, but if you have multiple connectivity between offices, then it will not work).
In principle, you do not have any prerequisites to fence the forest of Domains or second-level domains. Everything will perfectly live in one domain in different (although this is not necessary, you can configure everything based on sites) OU.
In terms of fault tolerance - I already wrote above, you don’t need to invent anything new - two AD with fast replication, two DHCP with separated areas, two DNS - it’s quite ok (for paranoids, you can use 3 AD, but IMHO this is too much for 300+ machines).
For data migration - plan for a gradual transition.
1. Raised New AD, raised new networks and distribute them via DHCP, they have all the parameters for new gateways and DNS
2. In the new DNS, they made a link to the old domains - this will allow the old ones to work, and the new ones not to have problems.
3. Machine after machine, transfer them to a new domain, create users, simply copy (migrate) user profiles, correcting user rights to folders in the profile. Without straining, you can translate 50 cars a day.
If you have any questions, you can contact me on skype.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question