{"id":1204,"date":"2008-09-16T08:00:20","date_gmt":"2008-09-16T08:00:20","guid":{"rendered":"http:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm"},"modified":"2008-11-14T23:33:26","modified_gmt":"2008-11-14T23:33:26","slug":"active-directory-design-considerations-part-2-forest-and-domain-design","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm","title":{"rendered":"Active Directory design considerations: part 2 (forest and domain design)"},"content":{"rendered":"<p>Having <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-1-introduction.htm\">set the scene for this series of posts<\/a>, the first area to examine is Active Directory forest and domain design.<\/p>\n<p>Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with a single domain) should be the starting point, after which any requirements for scaling out can be considered.<\/p>\n<p>Reasons for implementing multiple forests include:<\/p>\n<ul>\n<li>Multiple schemas (to avoid application conflicts).<\/li>\n<li>Resource forests (deliberate isolation).<\/li>\n<li>Distrust of forest administrators (autonomy).<\/li>\n<li>Legal regulations around application\/data access.<\/li>\n<li>Requirements to be disconnected for long periods (e.g. on a ship).<\/li>\n<\/ul>\n<h3>Forest design models<\/h3>\n<h4>Single organisational forest<\/h4>\n<p>The single organisational forest is the starting point.  In this model, users, computers and applications are all in the same forest, providing a simple Active Directory.  One major advantage of having a simple AD, is that many application designs will also be simplified (e.g. Exchange Server or MOSS) and delegation of administration is still possible; however it is absolutely essential that forest-level administrators are trusted.<\/p>\n<p>To mitigate the risk of rogue administrators, many organisations rely on detection (auditing and monitoring security logs &#8211; flagging any events after the fact).  In many cases the effort of implementing an extra forest outweighs the risk of an exploit from a rogue administrator.  Other mitigation steps include keeping highly privileged groups (e.g. Enterprise Admins and Domain Admins) empty (or at least down to a minimal number of users) and closely monitoring membership as well as implementing two-factor authentication for highly privileged accounts.<\/p>\n<h4>Multiple organisation forest model<\/h4>\n<p>The multiple organisation forest model is applicable where there are distinct business groups that require limited sharing of resources whilst retaining autonomy and isolation. In this model users, computers and applications all exist within their respective forests and a trust (1 or 2 way, as appropriate) is established, with selective authentication to control the rights granted from one forest to the other.<\/p>\n<p>This model can be costly and often causes additional complexity (e.g. if Exchange Server is used in the two organisations, then identity management tools may be required for calendar and contact information).<\/p>\n<h4>Shared resource forest model<\/h4>\n<p>According to Microsoft, the shared resource forest model is gaining in popularity as it provides flexibility as organisations are created and merge but require some sharing of resources.  Users and computers exist in the appropriate account forests and trusts are created as necessary to access application(s) in a separate resource forest.<\/p>\n<p>With this model, an application such as Exchange Server would be installed into the resource forest (as a single organisation) and the users in the account forests would  see the global address list from the resource forest, avoiding the need for directory synchronisation tools.<\/p>\n<p>Potential downsides of this approach are the extra servers that will be required and the corresponding management overhead; however it is flexible and is commonly deployed.<\/p>\n<h4>Shared account forest model<\/h4>\n<p>The shared account forest model is similar to the shared resource forest model except that a common account forest is used for all users and computers, with various resource forests deployed for restricted access to data and applications and corresponding trust relationships with the account forest.  With this model, users can log on anywhere but some control is exercised over their access to applications and data.<\/p>\n<p>This model might also be used in an extranet scenario &#8211; for example MOSS in an extranet forest but with access provided to internal accounts using a forest trust or through <a href=\"http:\/\/www.microsoft.com\/windowsserver2003\/techinfo\/overview\/adfsoverview.mspx\">ADFS<\/a>.<\/p>\n<h3>Considerations for domain design<\/h3>\n<p>Having decided on the overall forest structure, domain design needs to be considered and this is also simplified where a single domain exists within each forest (this is the most straightforward, and hence least expensive, option to implement, manage and recover).  Multiple domains may need to be considered:<\/p>\n<ul>\n<li>Where there is a large number of frequently changing attributes.<\/li>\n<li>To reduce replication.<\/li>\n<li>To control replication over slow links.<\/li>\n<li>To present legacy Active Directory structures.<\/li>\n<\/ul>\n<p>With Windows Server 2008, it is no longer necessary to implement a separate domain where an alternative password policy is required (e.g. PIN access for mobile users) as Active Directory Domain Services supports <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2007\/07\/fine-grained-password-policies-for-windows-server-2008-active-directory-domain-services.htm\">fine grained password policies<\/a>.  Note that these policies are not applied at an organizational unit (OU) level but through group membership or at an individual user level.  To aid when troubleshooting application of multiple policies, Microsoft recommends that security groups are used for policy application and users added to groups accordingly.<\/p>\n<p>A domain is a replication boundary but whereas with Windows 2000 network links were poor, these days bandwidth is more plentiful and controls may be exercised over replication.  Microsoft considers that the only real hard limit is the maximum number of domain controllers, which was around 1200 under Windows Server 2003 due to the limitations of sysvol replication using the file replication service (FRS).  With Windows Server 2008 this is no longer a concern, once the domain has been switched to <a href=\"http:\/\/blogs.technet.com\/filecab\/archive\/2008\/02\/08\/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx\">use DFS-R for replication<\/a>.<\/p>\n<p>In short, there are very few technical reasons for separate domains; however this may be influenced by political concerns.<\/p>\n<h3>Forest and domain functional levels<\/h3>\n<p>Forest and domain functional levels can drive requirements for domain design, with consideration due to migration vs. an in-place upgrade.  On the face of it, in-place upgrades seem simple, but <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2008\/02\/performing-an-active-directory-health-check.htm\">the health of the existing AD needs to be considered<\/a>.  If the domain has been upgraded previously from Windows 2000 to 2003, there may be older groups in place which do not use <a href=\"http:\/\/blogs.dirteam.com\/blogs\/tomek\/archive\/2006\/11\/04\/Linked-Value-Replication-_2D00_-what_2700_s-this-about.aspx\">linked value replication<\/a>, or there may be issues around strict replication consistency.<\/p>\n<p>The basic changes at each level are:<\/p>\n<ul>\n<li>Windows Server 2003 interim forest functional level:\n<ul>\n<li>Linked value replication.<\/li>\n<li>Different replication compression ratios.<\/li>\n<li>Improved knowledge consistency checker.<\/li>\n<\/ul>\n<\/li>\n<li>Windows Server 2003 forest functional level:\n<ul>\n<li>Forest trusts (and selective authentication).<\/li>\n<li>Deactivation of attributes within the schema.<\/li>\n<li>Domain renaming.<\/li>\n<li>Read only domain controllers (requires Windows Server 2008, plus schema updates).<\/li>\n<\/ul>\n<\/li>\n<li>Windows Server 2008 domain functional level:\n<ul>\n<li>Fine-grained password policies.<\/li>\n<li>DFS-R for sysvol.<\/li>\n<li>Last interactive logon information.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Domain naming<\/h3>\n<p>Domain naming ought to be the simple part of the design; however it is often heavily influenced by politics.  Whilst domain renames are possible, it&#8217;s generally not advised due to the potential impact on other applications.<\/p>\n<p>For each domain, there are two names to consider &#8211; NetBIOS and DNS.<\/p>\n<p>The NetBIOS name must not exceed a maximum length of 15 characters and must be unique on the network.<\/p>\n<p>Meanwhile, Microsoft recommends that the DNS name does not replicate an existing Internet domain name, is registered with Internic (to prevent future conflicts &#8211; this also means that once-common naming conventions such as .local are no longer recommended).<\/p>\n<p>In general, the NetBIOS and the domain portion of the DNS names should be made to match one another as many tools expect one to be derived from the other; however single label names should not be used as they cannot be registered and may cause issues with certain applications (<a href=\"http:\/\/support.microsoft.com\/kb\/300684\">Microsoft knowledge base article 300684<\/a> has more details).  Also, the name should not represent a business unit or division (as this is likely to change over time).<\/p>\n<h3>Summary<\/h3>\n<p>After following the advice in this article, the forest and domain structure, level and naming should all be clear.<\/p>\n<p>In the next post in this series, I&#8217;ll take a look at organizational unit design.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having set the scene for this series of posts, the first area to examine is Active Directory forest and domain design. Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with &hellip; <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Active Directory design considerations: part 2 (forest and domain design)<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[],"tags":[102],"class_list":["post-1204","post","type-post","status-publish","format-standard","hentry","tag-active-directory"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Active Directory design considerations: part 2 (forest and domain design) - markwilson.it<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Active Directory design considerations: part 2 (forest and domain design) - markwilson.it\" \/>\n<meta property=\"og:description\" content=\"Having set the scene for this series of posts, the first area to examine is Active Directory forest and domain design. Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with &hellip; Continue reading Active Directory design considerations: part 2 (forest and domain design)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\" \/>\n<meta property=\"og:site_name\" content=\"markwilson.it\" \/>\n<meta property=\"article:published_time\" content=\"2008-09-16T08:00:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2008-11-14T23:33:26+00:00\" \/>\n<meta name=\"author\" content=\"Mark Wilson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:site\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\"},\"author\":{\"name\":\"Mark Wilson\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"headline\":\"Active Directory design considerations: part 2 (forest and domain design)\",\"datePublished\":\"2008-09-16T08:00:20+00:00\",\"dateModified\":\"2008-11-14T23:33:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\"},\"wordCount\":1228,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"keywords\":[\"Microsoft Active Directory\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\",\"name\":\"Active Directory design considerations: part 2 (forest and domain design) - markwilson.it\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\"},\"datePublished\":\"2008-09-16T08:00:20+00:00\",\"dateModified\":\"2008-11-14T23:33:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2008\\\/09\\\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Active Directory design considerations: part 2 (forest and domain design)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/\",\"name\":\"markwilson.it\",\"description\":\"get-info -class technology | write-output &gt; \\\/dev\\\/web\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\",\"name\":\"Mark Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"width\":800,\"height\":800,\"caption\":\"Mark Wilson\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\"},\"description\":\"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.\",\"sameAs\":[\"http:\\\/\\\/www.markwilson.co.uk\\\/\",\"https:\\\/\\\/www.instagram.com\\\/markwilsonuk\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/markawilson\\\/\",\"https:\\\/\\\/x.com\\\/markwilsonit\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCWHlZCoHRTocdvtrOJ2IL4A\"],\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/author\\\/mark-wilson\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Active Directory design considerations: part 2 (forest and domain design) - markwilson.it","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm","og_locale":"en_GB","og_type":"article","og_title":"Active Directory design considerations: part 2 (forest and domain design) - markwilson.it","og_description":"Having set the scene for this series of posts, the first area to examine is Active Directory forest and domain design. Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with &hellip; Continue reading Active Directory design considerations: part 2 (forest and domain design)","og_url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm","og_site_name":"markwilson.it","article_published_time":"2008-09-16T08:00:20+00:00","article_modified_time":"2008-11-14T23:33:26+00:00","author":"Mark Wilson","twitter_card":"summary_large_image","twitter_creator":"@markwilsonit","twitter_site":"@markwilsonit","twitter_misc":{"Written by":"Mark Wilson","Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#article","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm"},"author":{"name":"Mark Wilson","@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"headline":"Active Directory design considerations: part 2 (forest and domain design)","datePublished":"2008-09-16T08:00:20+00:00","dateModified":"2008-11-14T23:33:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm"},"wordCount":1228,"commentCount":3,"publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"keywords":["Microsoft Active Directory"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm","url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm","name":"Active Directory design considerations: part 2 (forest and domain design) - markwilson.it","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#website"},"datePublished":"2008-09-16T08:00:20+00:00","dateModified":"2008-11-14T23:33:26+00:00","breadcrumb":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-2-forest-and-domain-design.htm#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.markwilson.co.uk\/blog"},{"@type":"ListItem","position":2,"name":"Active Directory design considerations: part 2 (forest and domain design)"}]},{"@type":"WebSite","@id":"https:\/\/www.markwilson.co.uk\/blog\/#website","url":"https:\/\/www.markwilson.co.uk\/blog\/","name":"markwilson.it","description":"get-info -class technology | write-output &gt; \/dev\/web","publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.markwilson.co.uk\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468","name":"Mark Wilson","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","url":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","width":800,"height":800,"caption":"Mark Wilson"},"logo":{"@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1"},"description":"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.","sameAs":["http:\/\/www.markwilson.co.uk\/","https:\/\/www.instagram.com\/markwilsonuk\/","https:\/\/www.linkedin.com\/in\/markawilson\/","https:\/\/x.com\/markwilsonit","https:\/\/www.youtube.com\/channel\/UCWHlZCoHRTocdvtrOJ2IL4A"],"url":"https:\/\/www.markwilson.co.uk\/blog\/author\/mark-wilson"}]}},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":1208,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-5-security-groups.htm","url_meta":{"origin":1204,"position":0},"title":"Active Directory design considerations: part 5 (security groups)","author":"Mark Wilson","date":"Monday 22 September 2008","format":false,"excerpt":"Continuing the series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, this post discusses the design considerations for the creation and use of security groups within Active Directory. First of all, let's recap on the various group scopes.\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":237,"url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/09\/10000-feet-view-of-microsoft-active.htm","url_meta":{"origin":1204,"position":1},"title":"10,000 feet view of Microsoft Active Directory","author":"Mark Wilson","date":"Wednesday 14 September 2005","format":false,"excerpt":"Non-technical colleagues, and friends who work with Microsoft products but outside of a corporate environment often ask me \"what is Active Directory\" (AD). As I've blogged a few 10,000 feet views of Microsoft technologies, I thought I'd produce one for AD. At the Microsoft Technical Roadshow event last May, Paul\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"http:\/\/www.assoc-amazon.co.uk\/e\/ir?t=marsweblo-21&l=as2&o=2&a=0954421809","width":350,"height":200},"classes":[]},{"id":1216,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-6-domain-controller-placement.htm","url_meta":{"origin":1204,"position":2},"title":"Active Directory design considerations: part 6 (domain controller placement and site design)","author":"Mark Wilson","date":"Tuesday 23 September 2008","format":false,"excerpt":"Continuing the series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, this post discusses the design considerations for placement of Active Directory domain controllers and the associated site links. Domain controller (DC) placement can have a huge impact\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1218,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-8-summary-and-further-information.htm","url_meta":{"origin":1204,"position":3},"title":"Active Directory design considerations: part 8 (summary and further information)","author":"Mark Wilson","date":"Wednesday 24 September 2008","format":false,"excerpt":"Over the last few days, I\u00e2\u20ac\u2122ve written a series of posts about design considerations for Microsoft Active Directory (AD), based on the MCS Talks: Enterprise Infrastructure series of webcasts. Just to summarise, the posts so far have been: Introduction. Forest and domain design. Organisational Units. Group policy objects. Security groups.\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":862,"url":"https:\/\/www.markwilson.co.uk\/blog\/2007\/07\/windows-server-2008-read-only-domain-controllers.htm","url_meta":{"origin":1204,"position":4},"title":"Windows Server 2008 read only domain controllers","author":"Mark Wilson","date":"Monday 30 July 2007","format":false,"excerpt":"This is the last post I'm intending to write based on the content from the recent Windows Server UK User Group meeting - this time inspired by Scotty Mc Leod's presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008. In my post from a few\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1217,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/09\/active-directory-design-considerations-part-7-domain-controller-configuration-and-dns.htm","url_meta":{"origin":1204,"position":5},"title":"Active Directory design considerations: part 7 (domain controller configuration and DNS)","author":"Mark Wilson","date":"Wednesday 24 September 2008","format":false,"excerpt":"Continuing the series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, this post discusses the design considerations for Active Directory domain controller configuration and DNS, which is critical to any Active Directory deployment. Whilst the CPU specification for\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1204"}],"version-history":[{"count":0,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1204\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}