active-directory Pre-planning before you create your forest or domain.


One thing you might consider with any domains in your forest is how many physical vs virtual machines you want to have. Personally I believe that there should be one physical machine per domain. One of the reasons I believe this is because of how the clocks are handled on, specifically in my case, Hyper-V machines. I cannot speak to VMWare. On a Hyper-V host it installs a clock sync service on the guest operating systems. In a domain all member machines are synced up to the time service from the DCs. Each domain syncs up to the forest. But on a Hyper-V guest the clock is synced up to the physical machine's clock. And if the host is a member machine the clock is then synced up to the domain. This creates a feedback loop that allows for the clock to drift I have found. After a couple months the time drifts to the point that there is a noticeable difference in time and in Active Directory that is a major issue. To solve this I set my Hyper-V hosts to sync time at a very low interval from a physical DC that holds the Flexible Single Master Operation (FSMO) role of Primary Domain Controller (PDC) in the forest root domain.