Evaluate Your Active Directory Logical Structure

Updated: June 3, 2009

Applies To: Windows Server 2008

Many organizations that add Windows Server 2008 domain controllers to their existing Active Directory environment—including read-only domain controllers (RODCs) in branch office locations—also review the logical structure of their current environment and look for ways to improve it. The introduction of Windows Server 2008 domain controllers does not necessarily require any changes to your existing logical structure. However, it can present an opportunity to lower costs by reducing the number of domains that you currently have deployed. By reducing the number of domains, you can reduce complexity, improve efficiency, and reduce the administrative costs of running your environment.

For example, the following illustration of the forest for a fictional company called Contoso Pharmaceuticals shows the logical structure that was recommended in the Windows Server 2003 Active Directory Branch Office Guide (http://go.microsoft.com/fwlink/?LinkID=28523), including:

  • A corporate (corp) domain for the forest root

  • A headquarters (hq) domain for the datacenter

  • A branches domain for all the branch office locations

Sample logical strcuture

In Windows Server 2003, using separate domains in this manner provided an organization with administrative benefits, such as centralized administration of network resources and autonomy between the datacenter and the branch offices.

In Windows Server 2008, you might obtain the same benefits by deploying a single domain. Therefore, your Windows Server 2008 branch office planning process can be a good time to revisit the decisions that led to your current logical structure design. You can confirm that the factors that led to those decisions are still relevant. You can also evaluate whether the cost of migrating to a consolidated environment is offset sufficiently by the savings that are obtained from the use of these new features.

The following table includes a list of issues that have led organizations to deploy multiple domains in the past, along with new Windows Server 2008 features that are designed to address these issues. You can review the table for issues that are relevant to your environment. Then, you can determine whether the new features in Windows Server 2008 justify any changes to your existing logical structure.


Issues that can require the deployment of an additional Windows Server 2003 domain New Windows Server 2008 features that address these issues

Different password policy requirements for different departments within an organization

At the Windows Server 2008 domain functional level, you can configure fine-grained password policies (FGPPs) to require different password policies for different sets of users within a single domain.

The scalability of File Replication Service (FRS), which is used to replicate SYSVOL contents between domain controllers. The recommended maximum number of domain controllers in one domain is 1,200.

At the Windows Server 2008 domain functional level, Distributed File Service (DFS) Replication is used to replicate SYSVOL. Because DFS Replication can scale more effectively than FRS, you can deploy more than 1,200 domain controllers in a single domain. However, if you plan to deploy more than 1,200 domain controllers in a single domain, ensure that you have an appropriate monitoring solution and troubleshooting procedures to manage an environment that large.

For more information about these features and other new features in Windows Server 2008, see What's New in Active Directory Domain Services in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=117789).

For more information about designing a logical structure, see Designing the Logical Structure for Windows Server 2008 AD DS (http://go.microsoft.com/fwlink/?LinkID=89024).

If you plan to reduce the number of domains that you are currently operating, you can use the Active Directory Migration Tool (ADMT) version 3.1 (v3.1) or non-Microsoft migration tools to migrate user, group, and computer accounts from one domain to another. ADMT v3.1 is available at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=122944).

Be sure that the domain controllers in the target domain are running Windows Server 2008 before you start the migration. ADMT v3.1 is specifically designed to work with migrations in which the target domain controllers run Windows Server 2008. ADMT v3.1 is also required if you migrate client computers that run Windows Vista.

For more information about using ADMT v3.1, see ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains (http://go.microsoft.com/fwlink/?LinkID=93678).

Community Additions