Active Directory offers five basic containers: forest, tree, domain, site and OU. These containers, used to segment and organize a network, were designed with specific uses and restrictions in mind. Thus, it is important to understand these restrictions when planning out your AD-based network.
Forests are used to create a structure with administrative independence and autonomy from any other forest. Each forest has its own unique schema. In most cases, a single organization should have a single forest. The reasons for multiple forests include merger or acquisition of an existing IT department or the need for multiple schemas.
Trees are used to define independent DNS name spaces within a forest. Often a tree is used to reflect a public or external namespace within the private network. The reasons for multiple trees include needing multiple namespaces and managing internal political structures. Many forests include multiple trees.
Domains are used to define users, groups and computers into separately managed collections. Each domain has a unique password and lockout policy. Each domain can be administered through a domain level GPO. Domains are used to manage replication and control security. The reasons for multiple domains include reflecting stable geographic internal divisions and the need to keep the object database at a reasonable size.
Sites are used to control replication. Primarily sites are used to manage replication bandwidth usage over
Organizational Units (OUs) are used to divide domains into more transient groupings, such as department and function. OUs offer the ability to delegate administrative authority and to apply distinct GPOs. OUs offer the most flexibility of all the AD containers. Multiple OUs in multiple layers or levels offer a wide range of organizational options.
In general when designing an AD structure, use as many containers as are needed. But try to use as few as possible.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in March 2002