When to use Active Directory containers

James Michael Stewart, Contributor

Active Directory offers five basic containers: forest, tree, domain, site and OU. These containers, used to segment and organize a network, were designed with specific uses and restrictions in mind. Thus, it is important to understand these restrictions when planning out your AD-based network.

Forests are used to create a structure with administrative independence and autonomy from any other forest. Each forest has its own unique schema. In most cases, a single organization should have a single forest. The reasons for multiple forests include merger or acquisition of an existing IT department or the need for multiple schemas.

Trees are used to define independent DNS name spaces within a forest. Often a tree is used to reflect a public or external namespace within the private network. The reasons for multiple trees include needing multiple namespaces and managing internal political structures. Many forests include multiple trees.

Domains are used to define users, groups and computers into separately managed collections. Each domain has a unique password and lockout policy. Each domain can be administered through a domain level GPO. Domains are used to manage replication and control security. The reasons for multiple domains include reflecting stable geographic internal divisions and the need to keep the object database at a reasonable size.

Sites are used to control replication. Primarily sites are used to manage replication bandwidth usage over

Requires Free Membership to View

slow WAN links. Sites are also used to force local logons instead of being authenticated by a DC in a remote location accessed over a WAN link. The reasons for multiple sites include having WAN links with less than 512 KBps total capacity or not having a dedicated 128 KBps connection for replication traffic.

Organizational Units (OUs) are used to divide domains into more transient groupings, such as department and function. OUs offer the ability to delegate administrative authority and to apply distinct GPOs. OUs offer the most flexibility of all the AD containers. Multiple OUs in multiple layers or levels offer a wide range of organizational options.

In general when designing an AD structure, use as many containers as are needed. But try to use as few as possible.

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in March 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.