I have been asked to redisgn the Active Directory entirely!

Where do I begin, since there seems to be sundry points of entry into this project. I have been asked to go through all the security groups and redo/restrict access, redesign the shares to include a more efficient DFS system. We also have 3 sites located at branch offices with DCs/DHCP in each. Also been asked to redfine roles - how do I define a role? Do I contact that person and ask them what they do? (would take an eternity) Do I call their boss and run down a list? And one of the largest priorities is that my boss wants the defaut security groups isolated from the locally-created security groups. We are planning on taking all the security groups and putting them in a new container just for our created groups. SO, where do I begin?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First, document everything!
Document everything you have now.
Document everything you want to have when it's done.
THis will help you keep moving in the direction you want to go and not end up with a big mess.

Create new shares where you need them.
Create new local groups and give them permissions to the shares
Create new global groups and add them to the local groups they need to be in
Add users to the global groups they need to be in.

After all of that is done you can remove old groups and shares that you don't need. (you should have those documented so it will be easy)

It should be easy to add everything you need on top of what is already there then remove the old stuff when it's not needed. But you will need good documentation to keep track of it all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
One suggestion, and that is, to make it completely new. Do not try to upgrade or merge. Make it a real redesign, something new. (avoid having too many problems to resolve)
uraneum73Author Commented:
Thanks for responding brakko and SunBow. When you say make it completely new, do you mean design and test it on a non-production domain. That would seem to be easier. What about the other questions I had up above?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

To redesign from scratch, on a large domain is a lot of work, that isn't necessary, and unless you know the entire environment, you don't know what else you break.

Now, I am making the assumption you have one domain in one forest with multiple sites.

On AD Physical Setup:

Divide AD into different sites, based on the number of different locations you have DC's.  This will reduce traffic between the sites, provide some localization etc.  

Once this is setup, you can re-construct a new DFS space based on the structure, placing based on usage requirements.

WHen they say roles, I'm assuming the FSMO roles.  They are actually talking about the server roles, and not the roles of individuals.  Based on your structure, you can transfer the FSMO roles as they make sence.  Ie: the main site, with the best hardware should be the PDC.  
They could also mean the roles other servers provide, ie: member servers and not the domain controllers.  Ie; Wins, DHCP, file, etc.  That will depend on your resources, usage, requirements, etc.

On AD Structure:

OU are your friends, they are logical seperaters, and you can use group policies to control access, settings, etc.  This setup really depends on your sites, the structure of your organization, etc.

For me, I like an OU for each site, inside that site a security group called the name of that site.  Inside the OU is another OU for the different departments, ie, site 1 sales, site 1 marketing, etc, adding a security group inside each OU, and making it a member of the security group in the OU above it.

Site 1 OU
---> Site 1 Sales OU
         ---> Site 1 Major Sales OU
         ---> Site 1 Minor Sales OU
---> Site 1 Marketing OU

Placing the users in based on where they fit in the structure, as well as the computers.  Then you can use group policies, ACL , etc to control access.

The AD structure all depends on your organization structure.   It should replicate the physical structure in a way that allows the organization to communicate efficently with each other, it should not define the organization structure.
uraneum73Author Commented:
Thanks Colin,

We are going to keep our sites the way they are; directly from the boss. They are more or less a department - only separated by distance. He does not want to split the main OU into smaller and smaller OUs. So this takes care of that one!

As for the roles issue - it appears that he is speaking about "profiles" of people, the guys in our IT dept to be exact. We have been cleaning up a huge mess, one that has EVERYONE in IT with Domain Admin priviledges! I have to clean this up and assign them appropriate priviledges according to their job function, ie: desktop, enterprise, workstation, etc.

I have to go through all of the Security Groups and determine which ones we will need, keep, delete, etc. There are some pretty ridiculous security groups here! Then I have to go through the OUs and determine which ones we will need to keep, just the same as the Security Groups. Then the DFS, which will follow the clean-up of the Groups! But that is later on down the road.
You may need to do OU's for the servers to do IT level security.

Ie: you want certain techs full access to modify workstations and user accounts, but not servers.
You want some people to admin certain servers, but not all.

There is no reason for everyone to have domain admin.  Microsoft security practices suggest further, that a disabled account has domain admin, or one individual has the enterprise but no domain admin, that means that any major change requires both people involved...

You may need to do some OU work, say if you want user tech at site a only able to modify site a's users, but not site b's, etc...

I think you should be on your way now.  Does that clarify for you now on where to begin?

uraneum73Author Commented:
Thanks Colin, you have made me think a little harder, and that is not always a bad thing ;-) I think this site is great in that experts like you and all who answered not only help us out, but actually encourage us to learn!

It looks like I am going to have to go head-to-head with the boss again and stress the need for greater OU management for the ultimate goal.....increased management and security!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.