News Stay informed about the latest enterprise technology news and product updates.

Active Directory: Designing made simple

How difficult or intricate should you get when creating forests, trees, domain and OUs? Remember, ease of administration is key. Here are some points you should consider.

Any decent Windows administrator should plan out their Active Directory structure prior to implementing an upgrade or install of a Windows 2000 domain. How difficult or intricate should you get when creating your forest, trees, domain and finally organizational units (OUs)? Remember, ease of administration is key. With that said, there are two major points to consider:

1. Look at your business model. One of the more common questions I hear is: "Should I create separate domains or sub-domains for my Japan office and another for my Canadian office?" Only if the different sites have different business models.

  • Scenario 1: If Japan is a remote office for the sales division and the headquarters is located in Canada, then their business models are the same and should not be divided into additional domains or sub- domains. In this scenario, you would create a single level domain and then use OUs to separate either the departments or geographic locations for administration and management.

  • Scenario 2: If Japan is selling computers, and the Canadian office is selling refrigerators, they are most likely using different business models and should be divided into two separate sub-domains. Since the business needs are different you would create an empty root domain, such as ","(using the company name for ease of design for the root domain name,) to first provide administration at the corporate level. Then create two sub-domains under it called "" and "" for the administration at the separate business level. This AD design gives you a root domain in which you can exercise "enterprise" administration over the two separate sub-domains. The admins in the root domain have full control over all domains, and can then delegate administration authority to individuals in their respective sub-domains and, through "trusts," can limit their access to the other domains in the tree.

  • Scenario 3: If Japan and Canada are two completely separate companies, and not part of the same corporation, then you would create two separate forests with a "trust" between them.

2. Further segment your AD design using organizational units. The most important thing to keep in mind when designing your OU is the administrative purpose that OU will serve. OUs can contain other OUs up to 63 levels. The primary purpose of an OU is to make administration easier in terms of management and delegation.

You will want to keep in mind that every OU you create will serve to help a Windows administrator manage a common set of directory objects for which he/she is responsible. OU administrators will primarily use OUs to distribute "group policies," which are a set of common configuration settings like distributing software or changing the user environment, to help manage directory objects such as computers and users. But also the OU will help with network permission, object searches, etc.)

There are hundreds of ways to design an OU structure, but four basic designs have proven themselves useful over time:

  • Political/Functional:: A functionally based design is useful for larger organizations and those where different functional groups have different computing needs or environments. Larger departments that use this design should consider implementing it in conjunction with one of the other designs. For example, each of the subgroups of the department could be further organized by resource or user classification. Some combined designs will be shown later.

  • Geographic: Departments that are spread across campus or between campus and other facilities may want to consider a geographic design. This design is only useful if geographic boundaries also represent IT management divisions. This design is obviously less useful for units housed in a single location, or when location per se does not affect how IT is managed. As with the political/functional design, this design can be used in conjunction with other designs, such as the resource-based design.

  • Resource-based: Often it is best to manage computing resources by type of resource: desktop computer, server, printer, etc. This design is most useful when all resources of a given type, like servers, are managed in the same way. These divisions can be sub-divided if a resource has additional management requirements.

  • User classification: Resources can also be managed based on users' jobs or functions within a department. This design allows for differing levels of restriction based on user needs. You'll notice that there can be an overlap between the resource-based classification and the user-based classification Students, for example, may typically use computer labs. This is a useful design for smaller departments that have no need for political or geographic division and that maintain mostly desktop computers (reducing the need for a resource-based design.)

Hybrids of the above four, such as user classification and resource-based OU structures, are common. (Setting up OUs for the different departments and network resources like printers, servers, etc.)

I hope this has given you some insight towards your future AD designs. Remember, once you go native mode with your Windows 2000 domain, there is no changing your AD design without a full blown reorganization. Good Luck!

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.