Management Of Multi Domain Environment Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Multi domains are commonly used in large organisation as solutions for larger networks, organisations use multi domain to organize their environment in a better way. We use Active Directory Domains and Trusts to manage operation that must appear between domains and use Active Directory Users and Computers to configure settings within a domain. Multi domain environment are arranged using trees and forests, in the other hand when you create a domain in active directory environment, domain automatically creates a forest and a tree. A domain controller running Windows server 2008 R2 connects domain, trees and forests using transitive forest root trust. Domain in trees and forests share the same Active directory Global Catalog, when Active Directory Schema is changed, the changes made are sent to all domain controllers in all domains.

Creating Domain Trees

Domain tree are created to maintain the relationship of multi domains that have the same common contiguous namespace. To create a domain tree, firstly you create a root domain then add child domain in to the root, these child domain can then be parent domains for further subdomains. Or Windows server 2008 R2 is upgraded to a domain controller, and then selects an option that will make the domain controller a first machine in a new domain, and then makes that domain a first domain of a new tree. All the above procedures are done using options in dcpromo in Active directory installation wizard when logged on the computer as a member of an administrator group.

Joining a domain tree to a forest.

Forests are domain trees combined together into logical units that have a different common contiguous namespace. To add a domain tree to a forest, firstly we create its root domain then attach it to the forest, and then create child domain by using the dcpromo. When a root domain is removed the forest structure is damaged, for that reason you should have not less than two domain controllers in the active directory root domain, so that the second one will work as a backup solution for disaster recovery and fault tolerance purpose. All domains in a single active directory forest include a schema, global catalog and configuration information of the entire forest.

Managing Trusts

Trusts are automatically created among domain within a tree and trees within forest. Trusts also make it easy to share information and network resources between domains. Users in trusted domains are authorised to access services in a trusted domain. All trusts in Windows server 2008 R2 are transitive two-way trusts. For example if domain1 trusts domain2 and domain2 trusts domain3, so domain1 trusts domain3. To configure trusts relationships between domains, you must have domain administrator permissions. Trusts are created using Active Directory Domains and Trusts.

Global Catalog

Global catalog in Active directory is used to share information linked between domains in a forest, therefore information about users and objects of a domain lies in Active Directory on a domain controller. System administrator decides what information should be added to the default in Global catalog. Global catalog holds adequate information which provides users and objects to be found anywhere forest. When a schema is modified, information held on global catalog is also modified. Domain controller carries a copy of global catalog. For example if a user wants to find all inkjet printer in a company, the nearest global catalog server is contacted.

Global Catalog server

Global catalog server is a server that contains a copy of a Global catalog. Global catalog server is required in every forest, if there's more than one Global catalog server in a forest then Global catalog is synchronised. When Active Directory forest is created, the first domain controller is automatically configured to be a Global catalog server. Therefore Global catalog server is a domain controller that stores partial and read only replica of all other domain directory partitions in the forest. Domain catalog can either be enabled or disabled as Global catalog server using Active directory sites and services.

Sites within Replication

Replication is a process whereby changes made to Active directory database are transferred between domain controllers. Replication occurs within a minute when multiple domain controllers of the same domain are present on one or more sites; therefore replication within sites is very quick and occurs at a very high speed between domain controllers on the same network segments. Replication is used to keep domain controllers synchronized. When more than 4 domain controllers are present, replication is automatically organized in a logical structure. Replication occurs according to a site link schedule so that WAN usage can be controlled by using compressed data because of less bandwidth available.

DFS Replication

DFS replication interacts with Active directory replication, DFS replication uses multi-master replication to synchronize copies of folders spread across multiple servers, when changes are made to one of the members are then automatically replicated to all other members of replication group. It uses USN (update sequence number) to detect changes, and then changes made are replicated after the file is closed. Shared folders can have copies on different DFS servers. Replicated shared folders allow load balancing and have fault tolerance. Replication is set up by a wizard accessed through DFS management console, wizards steps are listed in on the left down side so they can be easily seen.

Sites and Branch office consideration

Windows server 2008 R2 contains of features like Active Directory sites and services, BrancheCache and Read Only Domain Controller that aim to help solve problems in multiple domains.

Active Directory site and services

Active Directory uses sites to map organization's physical network. A site is a collection or group of well-connected subnets. Site links are designed to describe the types of connections available. If communication is more costly and slower across WAN than on LAN, site link reflects relative cost based on the type of connection available and the bandwidth that is available for default multiple sites Domain Controller replication occurs within 180 minutes and within a site it occurs within 15 seconds. When costs are lower the more likely site links are used for replication.


When BranchCache is enabled, it allows an organization with slower links between offices to cache data after being accessed for the first time, so that downloads between offices doesn't have to occur every time a file is accessed. For example if James logs into the network, and then download a file that takes five minutes and Mary tries to do the same with BranchCache enabled, the file will be cached from the previous download and Mary will have access to the file straightaway. When BranchCache is accessed again it quickly checks the current version that is being used, if no changes are made it saves time and bandwidth by opening the local version. There are two types of BranchCache configuration that we can set up; distributed cache mode and hosted mode.

Distributed cache mode: To setup this configuration client machines should be running windows 7, then client machines download files from content servers at the main branch office. Therefore client machines become local cache server. Windows server 2008 R2 content server is installed at the main office first, then physical connections between sites and branch offices are established. BranchCache is installed in client machines by default. So in the previous example after Jack has downloaded the file, Mary would have received the cached media from client machines.

Hosted Mode: cache files are cached locally within a site on windows server 2008 R2. Therefore before setting a hosted mode configuration you should first set up windows server 2008 R2 hosted cache server at the main and branch offices, you also need a client machine at branch offices. Then client machine downloads data from the main cache server, and then the hosted cache server at the branch cache contains a copy of downloaded for other users to access. So after Jack downloaded the file, the cached file is placed on windows server 2008 R2 machine, therefore Mary and all other users will download the file from windows 2008 R2.

Read Only Domain Controller

Active Directory information on domain controller is held in Read Only Domain controller but doesn't contain many passwords. Only passwords of non-administrator users of the remote site are stored on RODC. When a user tries to log on at a remote site for the first time the main domain controller is contacted by RODC. It's possible to make changes to SYSVOL folder of a RODC; however changes made can't be originally from RODC. When replication in domain controller takes place, changes made are replicated to RODC. It's a rick to have an updatable domain controller on a remote site, therefore we use RODC to prevent it.

Group management

Before creating groups, it's better to understand how group are used, which types of groups exist and also understand group nesting features in multi domain environment. There are two types of domain groups; distributed and security groups

Distributed groups are used for sending emails only; you can't assign rights and permissions. Security groups can grant right and permissions placed on them, they are also used to send emails to multiple users, however some applications can't read security groups so distributed groups are still needed.

In windows server 2008 R2 we have three types of security groups; domain local groups, global groups, universal groups.

Domain local groups remain in the same domain in which it was created in, it can't be a member local groups and universal groups, and you can also create them in domain mixed or native mode.

Global groups consist of other groups and accounts from the same domain in which it was created in, it consists of member from the same domain membership. It doesn't contain of domain local groups and universal groups. Global groups from multiple domain contains of a single universal group.

Universal groups are useful in multi domain forests. They allow you to manage resources and define roles that span multi domain. You can create universal groups only if domain is running in a native mode. They contain of accounts and groups from any other domain in the domain forest.

When creating group strategy in multi domain forest, we use the best practise for group nesting known as IGUDLA;

I - identities such as users and computer accounts are members of:

G - Global groups from multi domain that choose members based on their roles are members of:

U - A single universal group which is a member of:

D - Domain local group in multi domain which represent management rules that determine who has permissions to a specific folder, then domain local group are granted:

A - Access to resources, therefore in a shared folder access is granted by adding domain local groups to the shared folder's ACL (access control list)


The above mentioned topics (trees, forest, trusts, replication, global catalog server, sites and BranchCache and group management) describes how they are managed and configured in multiple domains environment of windows server2008 R2. Multiple domains are configured for multiple reasons such as; they provide more scalability in an organisation, they reduce replication traffic. However multiple domains are difficult to manage especially maintaining administrative consistency, it also difficult to rearrange domain topologies in an Active Directory environment than reorganizing organisation units.