A. Many of the original reasons for adding domains under Windows NT 4.0 (e.g., delegation of authority, the 40,000-object limit) no longer apply to Win2K and later OSs. When possible, you should try to limit the number of domains and rely on organizational units (OUs) and sites in Active Directory (AD). However, you might need to create domains in certain situations.
- If you have limited bandwidth for replication traffic--for example, because of slow network connections between sites--you might need to add domains, especially if your sites are distributed across vast geographic regions. Even if you use sites and limit when data can be replicated, you might need to add domains to handle the volume of replication data if your domain is very large.
- If you have only SMTP connectivity between sites, you must add domains because domain information can't replicate across site links that use SMTP.
- If you use different password/lockout/Kerberos policies; you can set those policies only at the domain level because the client OS ignores the OU policy except when a user logs on with a local user account.
- If you restrict administrative permissions (e.g., legal reasons to restrict access).
- If you want to implement decentralized administration.
- If you use a namespace other than the default.
- If you want to ease migration of multiple domains.
- If you want to put the schema master in a domain separate from the domain that hosts users and resources.
- If you want to maintain an existing domain structure.
- If you need an isolated or autonomous domain--depending on your requirements, you might need a separate forest if the domain can't share items such as the schema.
If you have multiple domains, Microsoft recommends using a dedicated root domain containing only the default objects, the forest master roles (schema and domain naming), and the forest administrative groups (enterprise and schema). In this scenario, because the root domain has little content, it's quick to back up and uses little bandwidth for replication.