Windows Server 2003 Migrations: Domain Rationalization

Migrating from Windows Server 2003 to Windows Server 2012 R2 gives you a chance to reassess your organization’s Active Directory structure. Specifically, it gives you a chance to rationalize the number of domains your organization has.

The number of domains required depends on a number of factors. The advice around which of these factors was actually relevant has sometimes been a little confusing. Whatever advice was available in the past, it’s fair to say that the advice that was available at the time that Windows Server 2003 was released is different to the advice on the number of domains that are necessary when you are using newer versions of the Windows Server operating system.

The upper recommended user account limit on domains using current versions of the Windows Server operating system is 100,000 users. The limit depends on how much bandwidth you have available in the slowest link between any two domain controllers. At the lowest level, if you’ve got a 28.8 Kbps link and only 1% of your bandwidth is available for replication traffic, a modern domain will still support 10,000 users. If 10% of that small 28.8 Kbps link is available, that number jumps from 10,000 to 40,000 users.

The vast majority of organizations today have site links that are much better than 28.8 Kbps. Unless they are a very big organization, they also tend to have less than 10,000 users. The takeaway from this is that is that for the vast majority of organizations, a single domain is all that’s necessary.

Most organizations have more than one domain. That’s because there’s a bit more to domain design than just a maximum number of users and replication to consider. Political issues often trump technical ones and there is nothing more political when it comes to systems administration than the question of who has administrative privileges over users in different parts of the organization.

Those of you who know a fair amount about more recent iterations of the Windows Server operating system know that with clever configuration of delegation, you can accomplish the same sort of administrative role separation that is usually the excuse for multiple separate domains. The old argument about requiring multiple domains for separate password policies has also been put to rest because of the ability (greatly improved in Windows Server 2012 R2) to create separate password policies based on group membership. Of course there is a bit of work involved in doing this, so many organizations just keep separate domains for the reason that their admins don’t understand privilege separation well enough to implement it correctly in a single domain.

This may be an improvement in Windows Server vNext, but that’s not going to help anyone on Windows Server 2003 because Windows Server 2003 will expire long before Windows Server vNext releases to manufacturing.

---

You can find out more about account number limitations by reviewing the following TechNet article: https://technet.microsoft.com/en-us/library/cc732201%28v=ws.10%29.aspx