Active Directory Design Strategy - Child Domain versus OU

1) What are the pros and cons using ROOT DOMAIN>CHILD DOMAIN>OU'S versus ROOT DOMAIN>OU'S for individual sites in active directory?

2) Does one model scale better than the other?

3) Does one model work better for "absorbing" newly purchased companies and their domains?

4) Is one model more "secure" than the other - how so?

5) What model do you use/prefer and why?

Background: We are a growing company with nine sites that currently use a single root domain with sub-ou's for each site and then users, computers etc. The goal is to have each site have an IT team to manage their own users, computers etc. and group policy to be managed centrally. We would like to avoid having the site IT teams be domain admins.

I am looking for as detailed answers as possible please. I also know there may be no "correct" answer to some of these questions. I am looking for pros/cons and opinions. I will award points based on how detailed and how compelling your argument is.

Thanks all!
Who is Participating?
Mike KlineConnect With a Mentor Commented:
1 -- The con for using a child domain versus an OU is that now you have to have extra DCs for the child domain which means extra cost and extra admin overhead.    

What the the child domain gives you is added protection against accidental security mistakes with schema and enterprise admin groups.....for anyone reading this via Google/Bing...yes I know the forest is the security boundary and that any admin in any forest can elevate themselves.  I'm just saying not everyone knows that exploit.   Again the forest is the real security boundary so in terms of security the root >> child doesn't protect you from someone that knows what they are doing.

The DS team also talked about this (look halfway down at the question about the empty root)

2)  - They both scale well...we are talking about millions of objects

3) No if you absorb a company they can become an OU or if they need their own domain you can add one at that time.

4)  The forest is the security boundary, I covered that earlier; but I also went into the activedir archives for this quote by Laura Robinson (not taking credit for Laura

****Laura's quote from activedir*****
Your domain admins for *any* domain can already muck up your entire forest. Make no mistake about that. Domains are not security boundaries, merely replication, administration and “simple oops protection” boundaries. Therefore, using the rationale that your DAs for the other domains can’t break the entire thing right now isn’t technically true. They have to work a little harder to muck up the entire forest, but they can certainly do it

*******end of quote *************

Right now where I am and have been we use an empty root but that is because it has always been there and a pain to consolidate just to bet rid of the empty root.  If I'm starting a new design I'd go in trying to have only one domain and only expanded if there was a good reason.


eturAuthor Commented:
Since I would be the only domain admin, I guess I would only have to worry about me then?
Chev_PCNConnect With a Mentor Commented:
The ideal "to be" situation would be to have the root domain (which contains the schema admin, enterprise admin, etc, etc, and then to consolidate the other 9 domains into a single child domain. From a security point of view you can then isolate the "God Right" accounts and lock them down in the root.
You'll need to join the 9 domains under the root, then once your core child domain is in place, you can then slowly (and very carefully) migrate all the objects from the others into new OU's with specific rights delegations. In this way you can allow administrators good access over tightly-controlled areas.
As one major example cited by Microsoft, BP (of oil-spill fame) has the largest single-domain infrastructure globally, and everything is managed via well-planned OU design, and appropriate delegation on those OU's by region and by function.
There are quite a few MS whitepapers on this topic.
eturAuthor Commented:
Do you have a link to that BP whitepaper and maybe some others?
eturAuthor Commented:
Not as much detail as I had asked for but good info.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.