Solved

Active Directory Design Strategy - Child Domain versus OU

Posted on 2010-08-23
5
2,637 Views
Last Modified: 2013-11-13
1) What are the pros and cons using ROOT DOMAIN>CHILD DOMAIN>OU'S versus ROOT DOMAIN>OU'S for individual sites in active directory?

2) Does one model scale better than the other?

3) Does one model work better for "absorbing" newly purchased companies and their domains?

4) Is one model more "secure" than the other - how so?

5) What model do you use/prefer and why?


Background: We are a growing company with nine sites that currently use a single root domain with sub-ou's for each site and then users, computers etc. The goal is to have each site have an IT team to manage their own users, computers etc. and group policy to be managed centrally. We would like to avoid having the site IT teams be domain admins.

I am looking for as detailed answers as possible please. I also know there may be no "correct" answer to some of these questions. I am looking for pros/cons and opinions. I will award points based on how detailed and how compelling your argument is.

Thanks all!
0
Comment
Question by:etur
  • 3
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 125 total points
ID: 33507212
1 -- The con for using a child domain versus an OU is that now you have to have extra DCs for the child domain which means extra cost and extra admin overhead.    

What the the child domain gives you is added protection against accidental security mistakes with schema and enterprise admin groups.....for anyone reading this via Google/Bing...yes I know the forest is the security boundary and that any admin in any forest can elevate themselves.  I'm just saying not everyone knows that exploit.   Again the forest is the real security boundary so in terms of security the root >> child doesn't protect you from someone that knows what they are doing.

The DS team also talked about this (look halfway down at the question about the empty root)

http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx

2)  - They both scale well...we are talking about millions of objects http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_Objects

3) No if you absorb a company they can become an OU or if they need their own domain you can add one at that time.

4)  The forest is the security boundary, I covered that earlier; but I also went into the activedir archives for this quote by Laura Robinson (not taking credit for Laura

****Laura's quote from activedir*****
Your domain admins for *any* domain can already muck up your entire forest. Make no mistake about that. Domains are not security boundaries, merely replication, administration and “simple oops protection” boundaries. Therefore, using the rationale that your DAs for the other domains can’t break the entire thing right now isn’t technically true. They have to work a little harder to muck up the entire forest, but they can certainly do it

*******end of quote *************

Right now where I am and have been we use an empty root but that is because it has always been there and a pain to consolidate just to bet rid of the empty root.  If I'm starting a new design I'd go in trying to have only one domain and only expanded if there was a good reason.


Thanks

Mike
0
 

Author Comment

by:etur
ID: 33507601
Since I would be the only domain admin, I guess I would only have to worry about me then?
0
 
LVL 9

Assisted Solution

by:Chev_PCN
Chev_PCN earned 125 total points
ID: 33508787
The ideal "to be" situation would be to have the root domain (which contains the schema admin, enterprise admin, etc, etc, and then to consolidate the other 9 domains into a single child domain. From a security point of view you can then isolate the "God Right" accounts and lock them down in the root.
You'll need to join the 9 domains under the root, then once your core child domain is in place, you can then slowly (and very carefully) migrate all the objects from the others into new OU's with specific rights delegations. In this way you can allow administrators good access over tightly-controlled areas.
As one major example cited by Microsoft, BP (of oil-spill fame) has the largest single-domain infrastructure globally, and everything is managed via well-planned OU design, and appropriate delegation on those OU's by region and by function.
There are quite a few MS whitepapers on this topic.
0
 

Author Comment

by:etur
ID: 33513270
Chev,
Do you have a link to that BP whitepaper and maybe some others?
Thanks!
0
 

Author Closing Comment

by:etur
ID: 33667947
Not as much detail as I had asked for but good info.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now