The principles of Active Directory infrastructure design

James Michael Stewart, Contributor
Designing large complex networks using Windows 2000 Active Directory requires significant planning and foresight. Otherwise, the results will be significantly less than satisfactory. Active Directory is extremely flexible and can be molded to conform with a wide range of company organizations, department hierarchies and network infrastructures. However, it is important to consider the design details before implementing the technology deployment.

Some important items to consider when designing an AD-based network include:

  • Forests are not limited in geography or network topology. A single forest can contain numerous domains, each sharing a common schema. Domain members of the same forest need not even have a dedicated LAN or WAN connection between them. A single network can also be the home of multiple independent forests. In general, a single forest should be used for each corporate entity. However, additional forests may be desired for testing and research purposes outside of the production forest.
  • Domains have significant levels of traffic internally (replication, query, authentication and data), but little traffic between domains in the same forest. Therefore, domains should be designed to limit the number of low-bandwidth or non-dedicated WAN connections.
  • Sites are to be used to manage domain replication traffic across low-bandwidth or non-dedicated WAN connections. When domain designs cannot avoid slower links, sites can be used to optimize

    Requires Free Membership to View

  • domain replication while not impeding end user network-based work tasks.
  • Organizational units (OUs) can duplicate the administrative, department or geographic hierarchy and structure of the organization.
  • The use of domains, sites and OUs grants a wide range of control over systems and users. Group policy objects (GPOs) can be nested in a parent-child relationship to enable fully customized configurations. GPOs are inherited by child-objects by default. GPOs are applied to objects in the following order: local, site, domain, OU. If multiple GPOs are present at any one of these organizational levels, a priority order of application is defined. If there are multiple nested OU memberships, the outer-most parent OU's GPO is applied first and the inner-most child OU's GPO is applied last. The ordered priority of GPO application ensures that the settings defined closest to the object take precedence.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in February 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.