I work for a local school division that is migrating from Netware to Active Directory. We have a Win 2003 Domain Controller set up at our new high school. How should the other schools in the division be set up? Should they be subdomains, OU's, or their own domains? Each school will have its own file server. Each school will also be connected to the network by gigabit fiber terminating at switches with VLANs. The only router on the entire network will be the one that goes out to the Internet. We are just trying to set everything up in the best way possible. We also want to make sure that the other schools will still be able to login to the domain even if the domain controller at the high school goes offline. Any advice would be greatly appreciated. Spike

The only router on the entire network will be the one that goes out to the Internet. If each school (site) connects to the internet through a single router, then I would think a single domain with OU's for each school (site) might be the most managable. I would have two redundant DC's (if cone should fail, the other takes over) located in your main center (likely the location with the router) and then put a single DC in each remote site. This would relieve WAN bandwidth congestion as local DC's would deal with local user authentication locally (as compared to having to send the authentication information to the main DC at the main site across WAN links). The DC at each school could also do double duty as file server. You might want your internal domain to have a slightly different DNS name from your external domain (assuming you're going to have a website). You might want to have a look at your subnets/VLAN's. If it were me, I'd have my managment VLAN span each site and would encompass the switch(es) and any VPN and/or network devices at each site. This allows you to remotely manage any network device with ease. It would also include your router at your main site and any/all switches located there too. I would then make each location it's own VLAN providing a single subnet will give you enough IP's for each location. You may need to assign more VLAN's per site to allow for growth and present number of IP's needed. Just remember to allow yourself some leeway for growth. My preference, whenever possible, is to match subnet to VLAN tag: ex: VLAN 1 = 192.168.1.0/24 VLAN 2 = 192.168.2.0/24 VLAN 3 = 192.168.3.0/24 etc Don't forget to document everything and definately, DEFINATELY diagram your network out in detail.

Thank you so much for all of the information. I'm really new to Active Directory, so I was wondering if you could clarify some things. Would each domain controller have a copy of all of the school's OU's? For instance, would the high school OU be stored on the junior high and elementary DC's and vice versa? If a DC at a location goes down, will users at that location authenticate to the next nearest DC? If the DC at the high school is the one running DHCP are the DC's at the other schools child DC's or is that another concept? Thanks for you help. I believe it is pretty simple, but I am having some difficulty grasping some of the concepts as they are new to me. Spike

Ok, first off, you'll have to forgive me. The last 3+ years I've been specializing in networking and have moved away from Domain Administration and I hate to say it, but some of my skills are rusting due to lack of use. So in short, I've forgotten some stuff......lol. Hopefully, if I make any mistakes or forget anything, someone else will set things right. Now to your questions........ Once you've deployed DC's at each site and have replication working properly between them, all OU's, users, groups etc will be viewable from any location. Also, if the need arises, changes can be made at any location (ie: add/remove a user, change a user's group, permissions etc). Mind you, one has to keep in mind that it takes a little while for changes that are made to flow through the rest of the domain as replication has to take place in order for all DC's to have the updated information. Should a local DC go down, users at that site's authentication should go to the next DC in line. Most likey the one at your central location. The reason for having a DC in each location and not just having all users authenticate to the one location is you want to keep WAN bandwidth usage to a minimum. If you have a half a dozen sites with 100 users in each site, that's a lot of traffic at login time every day. If the DC at the high school is the one running DHCP are the DC's at the other schools child DC's or is that another concept? No, they're not "child" DC's. If each of the other schools was a "child domain" of the main domain at the highschool, then they would be. But as DC's that are members of a single domain, but located at remote sites, they're not 'child' DC's, they're just regular DC's. However, you will likely want to run DHCP locally at each location because you're going to want to segment your network into multiple subnets for: - security reasons (ie: separate the portions of the school board's network that contain sensitive data on students and staff - you don't want some smart cracker jack kid hacking into that info and maybe oh, changing his marks, or getting personal info on teachers) - reduce WAN traffic. Again, like the authentication, if every PC at every site is booting at approximately the same time requesting an IP from a single DHCP server at the highschool....well, again, a lot of unnecessary WAN bandwidth being chewed up - ensure you have enough IP's for your hosts. In a large environment, a single subnet will not be enough to do the job. So, you will want to have multiple subnets. My preference would be each location it's own subnet. Likely you'll want an administrative subnet that spans all sites and encompasses all the data you don't want students to ever see Thanks for you help. I believe it is pretty simple, but I am having some difficulty grasping some of the concepts as they are new to me. Helping is my pleasure. Hopefully, I've not made any mistakes in what I've written. I highly recommend you get some text books on administering a windows Active Directory domain. Also, do as much reading/research online as possible or if you can, get training! What you are attempting to do is not for beginners. At least, not if you want it done right and working as it should be.