In my practice, I use the following principles:
About AD and services
1. There are two domain controllers in the head office with low latency replication.
2. In fully connected offices with broad channels through a full-fledged domain controller
3. In remote offices, with low-speed links over one RoDC
4. Those offices that do not have a server at their disposal either remain without a domain, or somehow work (live in a separate OU with sparing parameters for the life of sessions and DNS).
5. Each office is always in its own network segment. Each segment is a separate site in AD
6. DHCP+DNS screw, if it does not cause conflicts and can be used. WINS is more useful than not. Create reverse DNS zones, they speed up.
7. Miscellaneous equipment \ VoIP \ WiFi \ Printers \ Projectors \ Switches - if possible, in separate segments
Now more about networks
Determine in advance at least addressing outlines. Try not to use common home ranges, but stick to the recommended addresses (10/8, 172.16/12, 192.168/16)
The principles are
1. One fault-tolerant routing core per site. Try to close all traffic to one point. Reserve this point (in your case, VRRP plus an article on Habré )
2. Where possible, links go to LACP \ double \ second route \ two GRE tunnels
3. Less bridges - more routing. Transit networks only, if possible, no l2 hops.
4. If possible, equipment of the same class \ type \ purpose \ access level in one segment.
5. WiFi and VoIP are always in a separate segment.
Now some specifics for you.
Start with addressing, because if you don’t improve the traffic flow, the connectivity of the sites will be lost again and you will be raking with it until the end of your days.
Set up routing (fortunately, iron allows), and then go to AD (if the latter, of course, is off).
For office connectivity, use IPSec in transport, not tunnel mode (then you will thank me more than once).
You already have a decent number of offices, you can try to raise RIP or OSPF (in your case, I am for the first option, but if you have multiple connectivity between offices, then it will not work).
In principle, you do not have any prerequisites to fence the forest of Domains or second-level domains. Everything will perfectly live in one domain in different (although this is not necessary, you can configure everything based on sites) OU.
In terms of fault tolerance - I already wrote above, you don’t need to invent anything new - two AD with fast replication, two DHCP with separated areas, two DNS - it’s quite ok (for paranoids, you can use 3 AD, but IMHO this is too much for 300+ machines).
For data migration - plan for a gradual transition.
1. Raised New AD, raised new networks and distribute them via DHCP, they have all the parameters for new gateways and DNS
2. In the new DNS, they made a link to the old domains - this will allow the old ones to work, and the new ones not to have problems.
3. Machine after machine, transfer them to a new domain, create users, simply copy (migrate) user profiles, correcting user rights to folders in the profile. Without straining, you can translate 50 cars a day.
If you have any questions, you can contact me on skype.