Active Directory Design - Domains per site or Organisational Units per site

active-directory

Solution 1:

AS there is little crossover requirements I would recommend setting them up as suggested, one domain with appropriate OU's beneath them.

If setup with the relevant "sites" with at least one domain controller at each and with at least one Global Catalog at each site (no reason not to have each DC be a GC)

Once you migrate to the 100MB/s WAN even high volume DFS transfers would pose little issue.

Maintaining it as one domain with multiple sites and appropriate OUs for permissions, installations, group security etc. means that should all domain controllers in one site fail, all machines, with the exception of machines that are told specifically to look at one domain controller for authentication e.g. an application that is querying a domain controller for LDAP services, should still be able to log in and use network resources.

Over a 2Mb/s link this would be suboptimal but should be an edge case scenario, i.e. server room burns down but comms room is okay etc. Over a 100Mb/s link how is that any different to a normal domain config?

Solution 2:

In general terms, they are correct that when you design AD you should use as few domains as possible. With a pending upgrade to 100Mb links, there's arguably no technical reason not to do this.

However, you're not creating a new forest, as you well know, so the question becomes is there any real reason why you need to collapse a design that you're presumably happy with and which works well, and I say no - I maybe wouldn't have designed it this way to start with but I couldn't justify the upheaval of changing it. It seems like a lot of work and the best you can hope for as a result is that the currently working system will continue to work. (I'm thinking about the perspective of your students and teaching staff here, whether or not the would be a large enough reduction in support costs from doing this is another, seperate consideration).

Exchange can work quite happily with users from several domains in the same forest so I am honestly not sure why the people you're outsourcing Exchange management to are asking about this. Perhaps someone should ask them their justification for asking for a major change to be made to a setup that currently works well. And if they say that Exchange needs it, fire them, they don't know what they're talking about.

Related

Filtering bad requests from Apache -> logger -> rsyslog to syslog-ng on a remote logging server possible?
Linux high memory usage (top total mismatch)
What username for Login to Console on a Digital Ocean Droplet running FreeBSD 12
How to fix "Could not open a connection to your authentication agent." error when trying to add ssh-key?
Why is SSHD hanging at "Server accepts key"
Hidden Periodic Screenshots on a corporate workstation?
How common are Intel igb NIC drivers/cards, compared to Intel e1000, etc.?
Has March 2015 Patch Tuesday broken 2003 shares?
Filter mirrored port traffic using iptables
multiple file systems for mysql
Cleaning soot out of a server
Delegate user permission to move users/computers between OU's in Active Directory