Solved

AD structure for company with groups split on two locations

Posted on 2008-10-01
4
262 Views
Last Modified: 2013-11-05
I´ve been assigned the task to merge two domains into one. I will set up a new structure and migrate users into the new domain.

We have mainly two locations, and departments split over these locations.
Example:
We have 3 sales departments.
Sales internal is present in both locations
Sales external present in one location
Sales projects present in one location.

The same issue arises with other departments. Sales internal is one dep even though it´s split on two locations.

I´m wondering about an, as far as I know, untraditional structure to solve this .
Example:
company.local
OU:
Sales
  Loc1
    Computers
    Users
  Loc2
    Computers
    Users

Groups in Loc1: Sales external  Loc1 and Sales internal Loc1
Groups in Sales (among others): Sales internal, Sales external, Sales projects, Sales Loc1, Sales Loc2 and Sales everyone.

Users would be added to the group in they´re physical locations, so example salesuser1 would only be added to Sales internal Loc1. Sales internal Loc1 would be joined to following groups in OU Sales: Sales internal, Sales Loc1 and Sales everyone. Sales internal Loc1 would be joined to following groups in rootlevel: Everyone Loc1, and All local users. (don´t use everyone group due to ftp server and other services set up)

I could then apply GP using security filtering based on department or physical location. Is this a structure that is advisable considering the strong link within a departmens split on two phycisal locations?


0
Comment
Question by:Intrepidity
  • 2
  • 2
4 Comments
 

Author Comment

by:Intrepidity
Comment Utility
I might add that its not really just diff departments, the external sales is now in realy a company of it´s own(on paper, long story). I need to be able to isolate based on department/company even if it´s split on diffrent locations. This include NTFS permissions and GP policies in effect. Print mappings and location of home folders are based on location. File shares and such are based partly on location and partly on department. Well, at least that´s my plan anyways..

As they are used to being in our structure I see no reason in splitting it into several domains. This will just create more work as I see it.

With one OU for each sales dep I would get a lot of loc1 loc2 beneath them, and comp/users beneath that again. Severel of these loc1/loc2 below sales/salesdep would then contain one user only.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Yes, the departments should be top-OU

As you're having multiple locations, you should think about creating different sites for each location. Place atleast one (preferably atleast two for redudancy) DC in each location, and create different AD-sites for the locations (assign subnets to site). As you can also link GPOs to site, location-OUs might be unnecessary.
0
 

Author Comment

by:Intrepidity
Comment Utility
It will be set up with two sites with one DC at each location. Don't have the luxary of backup DC's, but both locations have 2x servers running on ESXi so getting a backup online can be done in minutes if a physical/virtual server fails. Would be extremely slow due to lack of performance - but it will work.

Using GPO linked to sites I would have to give everyone at a site the same printers for example. This might be the easiest solution, but I'm not sure if it's the best.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
Comment Utility
If distributing GPOs based on location, it will be enough to link the GPOs to the site level. Just keep in mind that GPOs linked to Domain or OU-level will override site-GPOs.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now