Microsoft has publicly pushed for administrators to consolidate multiple Windows NT domains into a single Active Directory (AD) domain structure. The arguments for following this logic are strong, and in most cases, there are very few barriers to abandoning the multidomain concepts of old when adopting Windows 2000 and AD. Organizational Units (OUs) can be used to perform many of the same security functions as resource domains and other constructs found under NT, and the AD structure lends itself to a more streamlined organization.
However, there are a few reasons why an organization would choose to maintain a multidomain structure, even when migrating to Windows 2000 and AD. Many articles have been written on the security and political reasons for using a multidomain organization, so I won’t cover those topics in detail here. Instead, I’ll focus on the business reasons for maintaining multidomain structures.
Why you would want a multidomain structure
Most organizations have internal systems that cannot be allowed to suffer any significant downtime. ASPs, ISPs, and other service providers cannot allow clients to suffer unscheduled downtime, or large amounts of scheduled downtime, because they risk violating Service Level Agreements (SLAs). In either case, attempting large-scale upgrades on multidomain NT systems could lead to unwanted business effects.
To fully illustrate this idea, let’s consider a case study of a fictitious service provider attempting an upgrade to Windows 2000.
Generic Technologies Inc., an ASP, provides e-mail services via POP3 and IMAP protocols and Outlook Web Access using Microsoft Exchange 5.5. The organization has decided to begin rolling out Windows 2000 Server and Advanced Server to replace the existing NT 4 organization consisting of three domains—MAIN, INTERNAL, and EXTERNAL. There are no pressing political (i.e., departmental) or security reasons that would require this organization to maintain three domains after the upgrade is complete.
Under “normal” circumstances, all three domains could be rolled into one large domain, using OUs to handle separate security and resource distribution issues. One roadblock to this ideal situation exists, however, as the EXTERNAL domain contains user and e-mail accounts for clients who cannot be taken down for more than a few minutes of unscheduled time.
The SLA for these clients does allow for up to two hours per week, not to exceed five hours per month, of scheduled downtime for maintenance and upgrades. Therefore, rolling out an AD structure that would combine the EXTERNAL domain into the top-level AD domain could easily force a violation of the SLA should anything go wrong, as it often will during such upgrades.
To address the situation, GTI chose to create two Windows 2000 AD domains, MainAD and External, with trusts and communications between them provided by AD since both domains exist in the same AD forest. By using this structure, the technical staff can easily upgrade and combine the MAIN and INTERNAL domains into a single AD domain, MainAD, and not worry about the potential impact on the EXTERNAL domain, which would remain on NT 4 until the staff was prepared to do an in-place upgrade during a maintenance window.
Treading softly over the upgrade process
The staff identified the NT 4 domain controllers (both PDC and BDC) that controlled the MAIN and INTERNAL domains and began the process of upgrading each in turn to Windows 2000 Server or Advanced Server, depending on their previous installs of NT. The process began smoothly. However, despite extensive testing prior to the actual upgrade, attempting to upgrade the first BDC in the MAIN domain led to significant problems.
Several of these issues led them to make midstream adjustments to the original upgrade plans. Primarily, the staff decided to hold off on a planned upgrade to Exchange 2000 Server until a later date. As they were already having difficulty with Active Directory (which Exchange 2000 relies on heavily), adding the Exchange upgrade to the mix didn’t seem prudent at that juncture. Since the upgrade of the EXTERNAL domain originally called for upgrading to Exchange 2000 as well, an attempt to upgrade all servers could have led to rather disastrous amounts of downtime.
The staff did not encounter complete downtime on the two internal domains but did encounter a large amount of replication issues and client logon difficulties for several days after the upgrade was complete. For internal concerns, this was a serious, but not business-critical, issue. For external concerns, such as their clients, these issues would have created a violation of their SLA. The decision to upgrade the EXTERNAL domain as a separate AD domain saved the company from potential business nightmares.
The company now maintains two Windows 2000 Active Directory domains, MainAD and External, both of which are running smoothly. The final in-place upgrade of the External servers was achieved with only two hours of total downtime, and there were no replication or login issues as a result of the learning curve of the previous upgrades. Due to the timing of the upgrade, all the downtime occurred after-hours, and clients did not report any significant issues.
Many businesses will encounter SLAs with external and internal concerns that will not allow staff to bring down vital services for the extended periods of time required for in-place upgrades of Windows NT domains to Windows 2000 and AD. Using multidomain structures can allow your organization to perform smooth, timely upgrades without jeopardizing your business strategies in the process.
What type of Active Directory domain structure have you chosen?
Do see advantages for your company in retaining a multidomain structure? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.