During my years working with Active Directory based solutions, I've been thrilled by the way companies tend to make it more complicated then necessary. When Microsoft introduced the new way of organizing a Windows Domain using Organisational Units (OU), Trees and Forests back in the late nineties, everyone went berserk in their struggles to become the most creative designer, without really listening to the Mantra: Keep it simple....
Today, fifteen years later, we have to face the consequences and clean the mess, leading to endless amounts of CleanUp projects and Migration Projects, often initiated as "Missions of Mercy", to save what is savable before the final crash.
Having taken part of quite a few of those projects during the last 4-5 years, I have once again had to put up with the creative people, that suddenly have popped up from their crypts again, just waiting to create yet another AD bubble that will burst in a few years.
I will give you a few advises from my experiences so far on how to avoid this situation again (and by the way, this is only my strictly personal perspective), or at least ease the pain.
1. Most likely ONE single Active Directory Domain will cover all your needs today and tomorrow.
2. Think administrative delegation not organization when building the domain/OU structure.
3. Make sure the Governance Model is in place, before running DCPROMO.
4. ADFS, ADRMS, RODC, PKI, DFS, DNSSEC etc...are not only cool terms or features, use them and use them correctly.
5. The Schema is not full of Attribute classes for no reason, make sure you use the attributes provided in a meaningful way, this is your future connection to surrounding systems.
6. Yes, you can utilize only Universal Groups, that's enough.
7. Make sure the part of the identities you store in Active Directory is both secure and well-managed.
8. This list can actually continue for a while, but I will stop it here to avoid taking myself out of business, by just once more providing you with the most basic advise when it comes to Directory Services in general and Active Directory in particular:
KEEP IT SIMPLE!!
