Problem solve Get help with specific problems with your technologies, process and projects.

The principles of Active Directory infrastructure design

Learn what forests, domains and organizational units are and how they differ from one another when considered for Active Directory infrastructure design.

Designing large complex networks using Windows 2000 Active Directory requires significant planning and foresight. Otherwise, the results will be significantly less than satisfactory. Active Directory is extremely flexible and can be molded to conform with a wide range of company organizations, department hierarchies and network infrastructures. However, it is important to consider the design details before implementing the technology deployment.

Some important items to consider when designing an AD-based network include:

  • Forests are not limited in geography or network topology. A single forest can contain numerous domains, each sharing a common schema. Domain members of the same forest need not even have a dedicated LAN or WAN connection between them. A single network can also be the home of multiple independent forests. In general, a single forest should be used for each corporate entity. However, additional forests may be desired for testing and research purposes outside of the production forest.
  • Domains have significant levels of traffic internally (replication, query, authentication and data), but little traffic between domains in the same forest. Therefore, domains should be designed to limit the number of low-bandwidth or non-dedicated WAN connections.
  • Sites are to be used to manage domain replication traffic across low-bandwidth or non-dedicated WAN connections. When domain designs cannot avoid slower links, sites can be used to optimize domain replication while not impeding end user network-based work tasks.
  • Organizational units (OUs) can duplicate the administrative, department or geographic hierarchy and structure of the organization.
  • The use of domains, sites and OUs grants a wide range of control over systems and users. Group policy objects (GPOs) can be nested in a parent-child relationship to enable fully customized configurations. GPOs are inherited by child-objects by default. GPOs are applied to objects in the following order: local, site, domain, OU. If multiple GPOs are present at any one of these organizational levels, a priority order of application is defined. If there are multiple nested OU memberships, the outer-most parent OU's GPO is applied first and the inner-most child OU's GPO is applied last. The ordered priority of GPO application ensures that the settings defined closest to the object take precedence.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Windows systems and network management