Active Directory Design Strategy - Child Domain versus OU

Posted on 2010-08-23
Medium Priority
Last Modified: 2013-11-13
1) What are the pros and cons using ROOT DOMAIN>CHILD DOMAIN>OU'S versus ROOT DOMAIN>OU'S for individual sites in active directory?

2) Does one model scale better than the other?

3) Does one model work better for "absorbing" newly purchased companies and their domains?

4) Is one model more "secure" than the other - how so?

5) What model do you use/prefer and why?

Background: We are a growing company with nine sites that currently use a single root domain with sub-ou's for each site and then users, computers etc. The goal is to have each site have an IT team to manage their own users, computers etc. and group policy to be managed centrally. We would like to avoid having the site IT teams be domain admins.

I am looking for as detailed answers as possible please. I also know there may be no "correct" answer to some of these questions. I am looking for pros/cons and opinions. I will award points based on how detailed and how compelling your argument is.

Thanks all!
Question by:etur
  • 3
LVL 57

Accepted Solution

Mike Kline earned 375 total points
ID: 33507212
1 -- The con for using a child domain versus an OU is that now you have to have extra DCs for the child domain which means extra cost and extra admin overhead.    

What the the child domain gives you is added protection against accidental security mistakes with schema and enterprise admin groups.....for anyone reading this via Google/Bing...yes I know the forest is the security boundary and that any admin in any forest can elevate themselves.  I'm just saying not everyone knows that exploit.   Again the forest is the real security boundary so in terms of security the root >> child doesn't protect you from someone that knows what they are doing.

The DS team also talked about this (look halfway down at the question about the empty root)


2)  - They both scale well...we are talking about millions of objects http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_Objects

3) No if you absorb a company they can become an OU or if they need their own domain you can add one at that time.

4)  The forest is the security boundary, I covered that earlier; but I also went into the activedir archives for this quote by Laura Robinson (not taking credit for Laura

****Laura's quote from activedir*****
Your domain admins for *any* domain can already muck up your entire forest. Make no mistake about that. Domains are not security boundaries, merely replication, administration and “simple oops protection” boundaries. Therefore, using the rationale that your DAs for the other domains can’t break the entire thing right now isn’t technically true. They have to work a little harder to muck up the entire forest, but they can certainly do it

*******end of quote *************

Right now where I am and have been we use an empty root but that is because it has always been there and a pain to consolidate just to bet rid of the empty root.  If I'm starting a new design I'd go in trying to have only one domain and only expanded if there was a good reason.



Author Comment

ID: 33507601
Since I would be the only domain admin, I guess I would only have to worry about me then?

Assisted Solution

Chev_PCN earned 375 total points
ID: 33508787
The ideal "to be" situation would be to have the root domain (which contains the schema admin, enterprise admin, etc, etc, and then to consolidate the other 9 domains into a single child domain. From a security point of view you can then isolate the "God Right" accounts and lock them down in the root.
You'll need to join the 9 domains under the root, then once your core child domain is in place, you can then slowly (and very carefully) migrate all the objects from the others into new OU's with specific rights delegations. In this way you can allow administrators good access over tightly-controlled areas.
As one major example cited by Microsoft, BP (of oil-spill fame) has the largest single-domain infrastructure globally, and everything is managed via well-planned OU design, and appropriate delegation on those OU's by region and by function.
There are quite a few MS whitepapers on this topic.

Author Comment

ID: 33513270
Do you have a link to that BP whitepaper and maybe some others?

Author Closing Comment

ID: 33667947
Not as much detail as I had asked for but good info.

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question