Intrepidity
asked on
AD structure for company with groups split on two locations
I´ve been assigned the task to merge two domains into one. I will set up a new structure and migrate users into the new domain.
We have mainly two locations, and departments split over these locations.
Example:
We have 3 sales departments.
Sales internal is present in both locations
Sales external present in one location
Sales projects present in one location.
The same issue arises with other departments. Sales internal is one dep even though it´s split on two locations.
I´m wondering about an, as far as I know, untraditional structure to solve this .
Example:
company.local
OU:
Sales
Loc1
Computers
Users
Loc2
Computers
Users
Groups in Loc1: Sales external Loc1 and Sales internal Loc1
Groups in Sales (among others): Sales internal, Sales external, Sales projects, Sales Loc1, Sales Loc2 and Sales everyone.
Users would be added to the group in they´re physical locations, so example salesuser1 would only be added to Sales internal Loc1. Sales internal Loc1 would be joined to following groups in OU Sales: Sales internal, Sales Loc1 and Sales everyone. Sales internal Loc1 would be joined to following groups in rootlevel: Everyone Loc1, and All local users. (don´t use everyone group due to ftp server and other services set up)
I could then apply GP using security filtering based on department or physical location. Is this a structure that is advisable considering the strong link within a departmens split on two phycisal locations?
We have mainly two locations, and departments split over these locations.
Example:
We have 3 sales departments.
Sales internal is present in both locations
Sales external present in one location
Sales projects present in one location.
The same issue arises with other departments. Sales internal is one dep even though it´s split on two locations.
I´m wondering about an, as far as I know, untraditional structure to solve this .
Example:
company.local
OU:
Sales
Loc1
Computers
Users
Loc2
Computers
Users
Groups in Loc1: Sales external Loc1 and Sales internal Loc1
Groups in Sales (among others): Sales internal, Sales external, Sales projects, Sales Loc1, Sales Loc2 and Sales everyone.
Users would be added to the group in they´re physical locations, so example salesuser1 would only be added to Sales internal Loc1. Sales internal Loc1 would be joined to following groups in OU Sales: Sales internal, Sales Loc1 and Sales everyone. Sales internal Loc1 would be joined to following groups in rootlevel: Everyone Loc1, and All local users. (don´t use everyone group due to ftp server and other services set up)
I could then apply GP using security filtering based on department or physical location. Is this a structure that is advisable considering the strong link within a departmens split on two phycisal locations?
Yes, the departments should be top-OU
As you're having multiple locations, you should think about creating different sites for each location. Place atleast one (preferably atleast two for redudancy) DC in each location, and create different AD-sites for the locations (assign subnets to site). As you can also link GPOs to site, location-OUs might be unnecessary.
As you're having multiple locations, you should think about creating different sites for each location. Place atleast one (preferably atleast two for redudancy) DC in each location, and create different AD-sites for the locations (assign subnets to site). As you can also link GPOs to site, location-OUs might be unnecessary.
ASKER
It will be set up with two sites with one DC at each location. Don't have the luxary of backup DC's, but both locations have 2x servers running on ESXi so getting a backup online can be done in minutes if a physical/virtual server fails. Would be extremely slow due to lack of performance - but it will work.
Using GPO linked to sites I would have to give everyone at a site the same printers for example. This might be the easiest solution, but I'm not sure if it's the best.
Using GPO linked to sites I would have to give everyone at a site the same printers for example. This might be the easiest solution, but I'm not sure if it's the best.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As they are used to being in our structure I see no reason in splitting it into several domains. This will just create more work as I see it.
With one OU for each sales dep I would get a lot of loc1 loc2 beneath them, and comp/users beneath that again. Severel of these loc1/loc2 below sales/salesdep would then contain one user only.