IT Employment

Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


What makes a good ad structure?

By sprinkl3s ·
i'm currently restructuring the organizations AD structure. i have only been with the company for a little over a week. they have about 800 some users, and about 600 some machines. i've never worked for a company of this size and of this many different departments. am i better keeping the bottom of the hierarchy more defined or less defined?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Active Directory Structure

by CG IT In reply to What makes a good ad stru ...

Keep it simple

make it flexible


If you can, use single forest, single tree.

try to stay within 3 or 4 levels on the tree.

with OUs see #1 & #2

If it isn't broke don't try to fix it.

Collapse -

Active directory structure

by sprinkl3s In reply to Active Directory Structur ...

well it is broken... there is no structure. its a hospital environment with three other locations on the same domain. numerous departments and areas. i started to do the visio diagram of how i think it would be most ideal and leave room for growth later down the road. but it just looks like too many ou's in the third level and i dont want to take it anymore then 4 levels.

at my first level i have the locations. then at the second level of each i have ou's named servers, departments, and areas. then on the third level i get a little more detailed with the departments and areas.

Collapse -

Active Directory - A Logical Structure

by CG IT In reply to Active directory structur ...

what came to mind when you mentioned there is not structure, a hospital with 3 locations on the same domain is what gets most IT guys confused about Active Directory. Its a logical structure that does not "need to" mimic [and more often than not should not mimic] physical layout of the company. To mimic the physical layout of a company invites problems because it limits flexibility in a growing company. Example: Companies typically have a sales department, manufacturing, engineering, management, accounting, human resources. under these department headings can be any # of "sub departments". Under sales can be regional sales, local sales and a branch off the top level sales such as customer service. OUs can be created at the top level such as Sales OU and then sub OUs nested inside the Sales top level OU. You can then collect users or computers in those OUs regardless of their actualy physical location and have GPOs applied [or delegate admin]. There is flexibility in this design approach and simplicity because your not limiting the design to match the physical design. This holds true for forest/domain design as well which is also a logical structure.

Collapse -

is physical sometimes better then logical?

by sprinkl3s In reply to Active Directory - A Logi ...

in our environment here we do more of trying to control things based up where they are located. our off sites are different specialties then at the main campus. so there isn't much repeating of the departments across the locations.

With the past companie's i was with a logical structure was good.. control didn't need to be as granular. and everything was within two levels

Collapse -

DNS and Active Directory

by CG IT In reply to is physical sometimes bet ...

You can create an AD structure that mimics physical layout. you can group computers into OUs that match physical layout.

There's nothing in the rule books that says you can't, only that its "better" to go with logical structure because its easier to manage and flexible.

Collapse -

AD Design

by KingArthur In reply to DNS and Active Directory

Remember that you can apply GPOs on a "per site" basis also.

You talk of different physical locations... Will these be in different sites? (i.e. are they on different subnets? Do you have a DC on each remote location?)

Second - it is advisable to keep the directory as flat as possible. Remember that you only NEED to create more than one domain if you require a different password/security policy for different users.

Of course we are assuming that you will only need one tree in your forest! That is correct isn't it? :)

We do create OUs named after our geographic locations for USERS only. Our computer accounts exist in OUs that reflect the role they have. For example we have an OU for laptops, one for Service PCs, one for kiosk PC, one for general staff PCs etc.

I think you need to consider things in this order:
1. DNS namespace - get that sorted first!
2. Domain structure.
3. Site structure.
4. OU structure.

Give us a clue about your sites (physical locations), whether you are looking at multiple domains, a very brief organisational structure if possible.

Good luck! Spend the time carefully working through this, don't hesitate to ask questions! It'll look great on your CV!!

Collapse -

ad design

by sprinkl3s In reply to AD Design

there is already a domain in place here. i am just redoing the AD structure before we bring in the exchange server. with it being a hospital environment we like to have very granular control over things. the physical layout that i came up with works fairly well with our group policy design. as of right now only the main campus has servers, plan on having servers at each location in time. mainly to help free up the wan line. for the most part things are on the same subnet with the exception of the phones which and a few other medical equipment devices. we like to have control over things based upon where they are. and in our opinion the placement of where people and computers are added would be easier in a physical layout. this is because they will only be using machines in that area. and coming up with a logical structure has been very difficult.

Collapse -

Simple is best

by d.g.bunting In reply to What makes a good ad stru ...

Sometimes defining the physical can lead to more problems and admin for yourself as departments grow. Its best not to break departments down into too many OUs as it becomes a nightmare creating users/computers in the correct OU. When designing the structure it is often best to try and reduce the number of physical departments into one OU,then use groups to allocate policy.

Its often worth considering what policys you plan to enforce before thinking about the OU structure.

Collapse -

Define by GPOs

by nzimmerman67 In reply to What makes a good ad stru ...

Personally, i like to define my AD by how I want to implement Group Policies. For example, if I keep all my workstations in one OU and my Users in another, I can define machine policies and seperate user policies. By being more granular, I can put those workstations and users into additional sub-OUs based on who needs which policies. I can define top-level GPOs that impact all users, and create more specialized policies to apply to the sub-OUs.

Collapse -

Same subnet

by chuckmba In reply to Define by GPOs

Earlier you stated "for the most part things are on the same subnet with the exception of the phones." Why are most things on the same subnet? Isn't that sucking up bandwidth? Different locations should be on different subnets and then these subnets broken down further for departments. This would free up the WAN line.

Related Discussions

Related Forums