Domains vs. organizational units in Active Directory

Domains vs. organizational units
James Michael Stewart

Forests, trees, sites, domains and organizational units are all organizational containers used by Windows 2000 and Windows .NET based Active Directory networks. Forests are used to group one or more trees under a common schema and global catalog. Trees are used to group domains into contiguous DNS name spaces. Sites are used to group domain controllers based on their link speeds and to control AD replication. Domains and OUs are employed to group computers, users and groups for security, delegation and administrative purposes. Group policy objects (GPOs) can be defined for domains as well as OUs.

The difference between a domain and an OU may initially seem slight, but it is very important. Deciding whether to use a domain or an OU should take place in the early planning stages of a network, long before deployment is started. Domains should be employed to group computers, users and groups based on stable business configurations, such as geography. It is not a good idea to use domains to define transient designations, such as function or department. OUs on the other hand are much more flexible than domains. OUs can be used to define stable business configurations, such as geography, but can also be used for more transient designations. Generally, build layers of OUs from general to specific, geography before department, and department before function.

OUs are flexible enough to be moved, grafted and changed as the business organization changes. Manipulating domains is a much more complex process and should be avoided whenever possible. With proper planning and management, multiple layers of OUs can effectively organize and control your network while offering the flexibility to adjust to your company as it grows and changes.

James Michael Stewart is a researcher and writer for Lanwrights, Inc.