Dividing the Organization into Regional Domains

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you cannot accommodate all of your users in a single domain, then you must select the regional domain model. Divide your organization into regions in a way that makes sense for your organization and your existing network. For example, you might create regions based on continental boundaries.

Keep in mind that because you need to create an Active Directory domain for each region that you establish, it is best to minimize the number of regions that you define for Active Directory. Although it is possible to include an unlimited number of domains in a forest, for manageability reasons it is recommended that a forest include no more than ten domains. You must establish the appropriate balance between optimizing your replication bandwidth and minimizing your administrative complexity when dividing your organization into regional domains.

First, determine the maximum number of users that your forest can host based on the slowest link in the forest across which domain controllers will replicate and the average amount of bandwidth you want to allocate to Active Directory replication. Table 2.5 lists the maximum recommended number of users that a forest can contain based on the speed of the slowest link, and the percentage of bandwidth you want to reserve for replication. This information applies to forests that contain a maximum of 100,000 users and that have a connectivity of 28.8 KBps or higher.

Table 2.5   Maximum Number of Users in a Forest

Slowest Link Connecting a Domain Controller (KBps) Maximum Number of Users if 1% Bandwidth Available Maximum Number of Users if 5% Bandwidth Available Maximum Number of Users if 10% Bandwidth Available

28.8

10,000

50,000

75,000

32

10,000

50,000

75,000

56

10,000

75,000

100,000

64

25,000

75,000

100,000

128

50,000

100,000

100,000

256

75,000

100,000

100,000

512

100,000

100,000

100,000

1500

100,000

100,000

100,000

To use this table:

  1. In the Slowest Link Connecting a Domain Controller column, locate the value that matches the speed of the slowest link across which Active Directory will replicate in your forest.

  2. In the row that corresponds to your slowest link speed, locate the column that represents the percentage bandwidth that you want to allocate to Active Directory. The value at that location is the maximum number of users that your forest can host.

Note

  • The figures listed in Table 2.5 are approximations. The quantity of replication traffic depends largely on the number of changes made to the directory in a given amount of time. Confirm that your network can accommodate your replication traffic by testing the estimated quantity and rate of changes on your design in a lab before deploying your domains.

The values in Table 2.5 are based on the following assumptions:

  • All domain controllers are global catalog servers.

  • New users join the forest at a rate of 20 percent per year.

  • Users leave the forest at a rate of 15 percent per year.

  • Users are members of five global groups and five universal groups.

  • The ratio of users to computers is 1:1.

  • Active Directory–integrated DNS is used.

  • DNS scavenging is used.

If the maximum number of users that your forest can host is greater than the number of users that you need to host, then a single forest will work for your design. If you need to host more users than the maximum number that you identified, then you need to increase the minimum link speed, allocate a greater percentage of bandwidth for Active Directory, or deploy additional forests.

If you determine that a single forest will accommodate the number of users that you need to host, the next step is to determine the maximum number of users that each region can support based on the slowest link located in that region. Divide your forest into regions that make sense to you. Make sure that you base your decision on something that is not likely to change. For example, use continents instead of sales regions. These regions will be the basis of your domain structure when you have identified the maximum number of users.

Determine the number of users that need to be hosted in each region and then verify that they do not exceed the maximum allowed based on the slowest link speed and the bandwidth allocated to Active directory in that region. Table 2.6 lists the maximum recommended number of users that a regional domain can contain based on the speed of the slowest link and the percentage of bandwidth you want to reserve for replication. This information applies to forests that contain a maximum of 100,000 users and that have a connectivity of 28.8 KBps or higher.

Table 2.6   Maximum Number of Users in a Region

Slowest Link Connecting a Domain Controller (KBps) Maximum Number of Users if 1% Bandwidth Available Maximum Number of Users if 5% Bandwidth Available Maximum Number of Users if 10% Bandwidth Available

28.8

10,000

18,000

40,000

32

10,000

20,000

50,000

56

10,000

40,000

100,000

64

10,000

50,000

100,000

128

15,000

100,000

100,000

256

30,000

100,000

100,000

512

80,000

100,000

100,000

1500

100,000

100,000

100,000

To use this table:

  1. In the Slowest Link Connecting a Domain Controller column, locate the value that matches the speed of the slowest link across which Active Directory will replicate in your region.

  2. In the row that corresponds to your slowest link speed, locate the column that represents the percentage bandwidth that you want to allocate to Active Directory. That value represents the maximum number of users that the region can host.

Note

  • The figures listed in Table 2.6 are approximations. The quantity of replication traffic depends largely on the number of changes made to the directory in a given amount of time. Confirm that your network can accommodate your replication traffic by testing the estimated quantity and rate of changes on your design in a lab before deploying your domains.

The values in Table 2.6 are based on the following assumptions:

  • All domain controllers are global catalog servers.

  • New users join the forest at a rate of 20 percent per year.

  • Users leave the forest at a rate of 15 percent per year.

  • Users are members of five global groups and five universal groups.

  • The ratio of users to computers is 1:1.

  • Active Directory–integrated DNS is used.

  • DNS scavenging is used.

Evaluate each proposed region and determine whether the maximum number of users in each region is less than the recommended maximum number of users that a domain can contain. If you determine that the region can host the number of users that you require, then you can create a domain for that region. If you determine that you cannot host that many users, consider dividing your design into smaller regions and recalculating the maximum number of users that can be hosted in each region. The other alternatives are to allocate more bandwidth or increase your link speed.

Although the total number of users that you can put in a domain in a multidomain forest is smaller than the number of users in the domain in a single domain forest, the overall number of users in the multidomain forest can be higher. The smaller number of users per domain in a multidomain forest accommodates the additional replication overhead created by maintaining the global catalog in that environment.

Note

  • For recommendations that apply to forests that contain more than 100,000 users or connectivity of less than 28.8 KBps, consult an experienced Active Directory designer.

Figure 2.15 shows the regions that Contoso Corporation chose to use and the slowest link and number of users located in each region.

Figure 2.15   Contoso Corporation Proposed Regions and the Slowest Link Speed in Each Region

Contoso: Proposed Regions and Slowest Link Speed