Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory Design Strategy - Child Domain versus OU

Posted on 2010-08-23
5
Medium Priority
?
2,930 Views
Last Modified: 2013-11-13
1) What are the pros and cons using ROOT DOMAIN>CHILD DOMAIN>OU'S versus ROOT DOMAIN>OU'S for individual sites in active directory?

2) Does one model scale better than the other?

3) Does one model work better for "absorbing" newly purchased companies and their domains?

4) Is one model more "secure" than the other - how so?

5) What model do you use/prefer and why?


Background: We are a growing company with nine sites that currently use a single root domain with sub-ou's for each site and then users, computers etc. The goal is to have each site have an IT team to manage their own users, computers etc. and group policy to be managed centrally. We would like to avoid having the site IT teams be domain admins.

I am looking for as detailed answers as possible please. I also know there may be no "correct" answer to some of these questions. I am looking for pros/cons and opinions. I will award points based on how detailed and how compelling your argument is.

Thanks all!
0
Comment
Question by:etur
  • 3
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 375 total points
ID: 33507212
1 -- The con for using a child domain versus an OU is that now you have to have extra DCs for the child domain which means extra cost and extra admin overhead.    

What the the child domain gives you is added protection against accidental security mistakes with schema and enterprise admin groups.....for anyone reading this via Google/Bing...yes I know the forest is the security boundary and that any admin in any forest can elevate themselves.  I'm just saying not everyone knows that exploit.   Again the forest is the real security boundary so in terms of security the root >> child doesn't protect you from someone that knows what they are doing.

The DS team also talked about this (look halfway down at the question about the empty root)

http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx

2)  - They both scale well...we are talking about millions of objects http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_Objects

3) No if you absorb a company they can become an OU or if they need their own domain you can add one at that time.

4)  The forest is the security boundary, I covered that earlier; but I also went into the activedir archives for this quote by Laura Robinson (not taking credit for Laura

****Laura's quote from activedir*****
Your domain admins for *any* domain can already muck up your entire forest. Make no mistake about that. Domains are not security boundaries, merely replication, administration and “simple oops protection” boundaries. Therefore, using the rationale that your DAs for the other domains can’t break the entire thing right now isn’t technically true. They have to work a little harder to muck up the entire forest, but they can certainly do it

*******end of quote *************

Right now where I am and have been we use an empty root but that is because it has always been there and a pain to consolidate just to bet rid of the empty root.  If I'm starting a new design I'd go in trying to have only one domain and only expanded if there was a good reason.


Thanks

Mike
0
 

Author Comment

by:etur
ID: 33507601
Since I would be the only domain admin, I guess I would only have to worry about me then?
0
 
LVL 9

Assisted Solution

by:Chev_PCN
Chev_PCN earned 375 total points
ID: 33508787
The ideal "to be" situation would be to have the root domain (which contains the schema admin, enterprise admin, etc, etc, and then to consolidate the other 9 domains into a single child domain. From a security point of view you can then isolate the "God Right" accounts and lock them down in the root.
You'll need to join the 9 domains under the root, then once your core child domain is in place, you can then slowly (and very carefully) migrate all the objects from the others into new OU's with specific rights delegations. In this way you can allow administrators good access over tightly-controlled areas.
As one major example cited by Microsoft, BP (of oil-spill fame) has the largest single-domain infrastructure globally, and everything is managed via well-planned OU design, and appropriate delegation on those OU's by region and by function.
There are quite a few MS whitepapers on this topic.
0
 

Author Comment

by:etur
ID: 33513270
Chev,
Do you have a link to that BP whitepaper and maybe some others?
Thanks!
0
 

Author Closing Comment

by:etur
ID: 33667947
Not as much detail as I had asked for but good info.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Progress
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question