active directory + squid planning for a large network with over than 7000 users

networking linux active-directory squid

You don't want, and likely don't need multiple Active Directory domains to manage. Basically, you always want to avoid multi-domain AD deployments if you can help it. (And you really want to avoid multi-forest deployments...)

In a Windows 2000 or Windows 2003 Active Directory, one used multiple domains when there were different groups of users who needed different password policies. Windows 2008 Active Directory can have granular password policies and eliminates this need.

In Windows 2000 - 2008 Active Directory, using multiple domains to partition the AD database into smaller units of replication is also a valid reason. An Active Directory with under 10,000 users isn't really all that large. You likely don't need to use multiple domains for partitioning of replication.

Having usernames read a certain way (i.e. [email protected] versus [email protected]) can be accomplished in a single domain with alternative User Principal Name (UPN) suffixes and isn't a valid reason for deploying a multi-domain infrastructure.

Using Squid and NTLM authentication is a perfectly valid solution for authenticating Internet access. Sizing of your Squid server computers and Active Directory domain controller computers isn't something that Server Fault can reasonably do with the information you've given above. Microsoft has an Active Directory Sizing Tool, but it hasn't been updated in several years (either for updated versions of Windows or updated server hardware specs).


In a setting like this you really need to think much more about identity management than you need to think about the actual user directory mechanism itself. They all can scale to this size trivially.

You should ask yourself about account life-cycles and business rules around account provisioning and roles in your organization. How are accounts going to be created, modified, and deleted? You're not planning on doing it by hand, are you?

As far as your border goes, I'm a fan of freebsd; I'd probably use a simple pair of pf firewalls with carp to do failover, and a transparent proxy for reducing network utilization as much as possible.

Related

Can I use multiple email servers at once?
Configuring ASP.NET MVC2 on Apache 2.2 using mod_aspdotnet
OpenVZ: share a folder between containers
tutorial/training creation tools [closed]
Codeigniter in subdirectory on Nginx 404
Can't login to Cygwin sshd server with a non-administrator user account
Conficker: Should steps taken in group policy to secure against virus remain?
possible SYN flooding on port 80. Sending cookies
Apache RewriteMap with URLs containing space doesn't work
How to whitelist a user agent for nginx?
When a VirtualBox VM's Adapter is set to NAT can a VM access the Host computer?
Is there a license / royalty free DRM available for protecting and distributing content? [closed]