How To Design Your AD Structure Made Simple

by Jason on February 27, 2009

ADWindows Server 2008 Differences

Active Directory (AD) in Windows 2008 is not changed very much from Windows 2000 or Windows 2003, at least not in a visual or design sense.  There have been continual improvements in AD since the start and Windows 2008 incorporates many changes that enhance Active Directory.  Among others, Windows Server 2008 boasts two excellent new features to AD, ignoring the increased functionality in Group Policy Objects (GPO).  This article will assume you are familiar with AD Organizational Units, Trees, Forests and other nomenclature.

Active Directory Domain Services replaces Active Directory.  Microsoft, in a great move, removed AD services from being integrated directly into the OS.  This allows ADDS to be restarted without having to restart the server.  No longer will administrators need to boot into AD restore mode to defragment the database.  Now the services can be stopped, the database defragmented, and the services started without having to reboot the system.

Other changes to AD are Fine-Grained Password Policies allowing a higher level of control over password criteria between users.  AD Lightweight Domain Services replace Active Directory Application Mode (ADAM).

Windows 2008 Server also introduces the Backup Domain Controller, I mean Read-Only Domain Controller, that contains a Read-Only copy of the Active Directory Database and only authenticates a specific set of users or groups specified by the administrators.  This reduces the risk of having a domain controller at a remote site with a read-write copy of the database that could be exploited.  Combine RODC with BitLocker and you have a well-protected Read-Only database that is hardened against attack or corruption.

Active Directory Design Made Simple

AD design can be as complex or as simple as you want it to be.  The key to AD is that once a design is in place it’s hard to simply change without detrimental impact to the business.  Good design work at the beginning is crucial.  If you are inheriting an AD that was created incorrectly, or inefficiently, you will need to take a lot of time reviewing the configuration, GPOs, security rights, etc until you have effectively mapped out the key elements and drafted a new design, along with all of the steps to get there.

There are two basic styles to Active Directory design.  Geography based or Organizational based.  Some organizations have a “hybrid” design but at the end, you either start based on geography or start with the organization.

Geography Based Active Directory Design

Based on physical location, the design is focused around nations, states, principalities, provinces or cities.  If you have a small organization this may be simple to setup and design.  The larger the company the more complex your AD may become due to political considerations.

CompanyABC.com
CompanyABC.com/New Mexico
CompanyABC.com/New Mexico/Marketing
CompanyABC.com/New Mexico/Design
CompanyABC.com/New York
CompanyABC.com/New York/Marketing
CompanyABC.com/New York/Design

Organizational Based Active Directory Design

Simply said, the structure of the organization determines the structure of AD.  Organizational Units may be based on departments, or locations and departments.  There are no real best practices on how deep your OU structure can go, but I prefer to have no more than three-to-four OUs nested for ease of administration.

CompanyABC.com
CompanyABC.com/Marketing
CompanyABC.com/Marketing/New Mexico
CompanyABC.com/Marketing/New York
CompanyABC.com/Design
CompanyABC.com/Design/New Mexico
CompanyABC.com/Design/New York

Flexibility in your AD Structure

The structure that you choose should be flexible.  Considering that your business may be acquired, or acquire other companies, means that your simple structure could become quickly become a Forest and no longer a Tree.  Personally, if I have the resources I prefer to start the root of my own forest, as Forests can trust Forests via Active Directory Federated Services.  The root of my forest is not used for anything else and administration is limited to very few individuals to be Enterprise Administrators.  My “working” domains are subdomains of my root domain.  There is additional cost in doing this to support the equipment for the root domain.

CompanyABC.com
noram.CompanyABC.com
noram.CompanyABC.com/New Mexico

CompanyABC.com
noram.CompanyABC.com/Marketing
normal.CompanyABC.com/Marketing/New Mexico

Active Directory Design is highly dependent upon the culture and disposition of the business.  There may be political disputes that require resolution to properly design your network.

Other considerations are remote offices, intersite replication, Universal Group replication, use of Read-Only Domain Controllers, placement of Global Catalog servers and bandwidth between locations.  All of these must be considered while planning your domain strategy.

In Summary…

There are two main ways to design your AD structure, by the geography of the organization or by the organization of the different business units.  Each strategy requires careful design and preparation work to ensure that you have a flexible model and optimal server placement.  Keeping that goal in mind, work with the business to determine what strategy will be best for the organization and create detailed planning and implementation documentation for the deployment.

3 Total TweetBacks: (Tweet this post)
  • en: RT @ArmyMom101 @valkry18 #MilitaryMon Being vet means I still try to salute when I see our Flag or hear National Anthem ..TBC 07/13/09 10:08pm
  • en: is challenging EVERYONE on her flist. Virtual 5K time! Pick a 5K for Labor Day or the wknd after and post your race to COMMIT! Train w/me!!! 07/13/09 10:08pm
  • en: @Rittzz Thursday is perfect! Burned is soso good! Did you buy Impulse the day we went or did you go back? 07/13/09 10:08pm

Popularity: 36% [?]

Leave a Comment