Solved

Active Directory structure

Posted on 2010-11-27
5
301 Views
Last Modified: 2012-05-10
A customer still has an Win2003 environment, and wants to structure his AD.
Currently it is all flat, all computers in 1 OU, all users and groups in 1 OU.
They have a main site with 50 users, and 10 remote sites with 5 - 10 users, connected through DSL-lines. Each remote site has a DC/GC.
Sidemark: 70% of the PC's are laptops, moving around to main site and remote sites a lot.

How would you structure servers, users, groups and computers in this kind of site, thinking about future policies, preferences, virusscan updates, WSUS....etc.

rgrds
0
Comment
Question by:HamannWetteren
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 34221610
You need to think about the structure of the business and create OUs according to the way you want to organise amd manage users and computers and to delegate control. Often this will take the form of mirroring any departmental structure and/or locations in OUs
Normally servers would be better in an OU of their own (DCs are already in a seperate OU by default and should not need to be changed). Laptops too may be better in an ou of their own, depending on how you want to manage them
0
 
LVL 12

Assisted Solution

by:Vaseem Mohammed
Vaseem Mohammed earned 200 total points
ID: 34222572
I will suggest you to create an Org Unit for each site, then within each OU create Computer Acct, User Acct, Groups.
This structure is good if you are managing Computer accounts, User accounts via GPO and have diff type of settings for each site or group of users.

- Domain.com
   - Site-01
      -Computer Acct
      -User Acct
      -Groups
   - Site-02
      -Computer Acct
      -User Acct
      -Groups
   - Site-03
      -Computer Acct
      -User Acct
      -Groups


If you have universal policy for all computers OU better to have them in one place as it is by default in "Computers" OU. Any policy you have set on domain level will be set to computer OU.
- Domain.com
   - Default Computers OU
   - Site-01
      -User Acct
      -Groups
   - Site-02
      -User Acct
      -Groups
   - Site-03
      -User Acct
      -Groups

If you don't want to apply policy at domain level then you will have to create a new OU at root for computer Acct, coz you cant apply GPO at default computers OU separately.
- Domain.com
   - Default Computers OU
   - Computer Acct --> (custom created)
   - Site-01
      -User Acct
      -Groups
   - Site-02
      -User Acct
      -Groups
   - Site-03
      -User Acct
      -Groups
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 34222583
Also make sure to go through the article at

This will be useful when you create a custom "Computer Acct" OU at root, reason is when u join a desktop by default its account will be created in default Computer OU, and using redircmp ou=Computer Acct, DC=domain,dc=com the computer account will land in your custom Computer Acct OU.
AND
if you want a specific set of policy to be applied when user and computer accounts comes to domain for the 1st time.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 34222587
0
 
LVL 8

Accepted Solution

by:
TSGITDept earned 300 total points
ID: 34305775

If 70% of the laptops are roaming then having them dedicated to Location Based OUs may not make as much sense.  Perhaps those might be in an OU for RemoteLaptops and use Location-based OUs for everything else.  Roaming laptops may have special security needs, like extra Firewall Security, password protected screen saver policy, and other things to keep them safe.

Have they considered a Terminal Server, aka Remote Desktop Services?  We even run it in a Virtual Server environment.

We have about 20 locations and use it extensively.  It has a lot of benefits, although we use GP and have lots of fat client laptops too:
 - Fast
 - Centralized control
 - Shadowing for tech support
 - Automatic backups of user files
 - Better security since the data doesn't leave the server.
 - Allows the option to access your work from home, or on the road.

Might talk to them about it in the future and sell them some consulting time, if that's what you do.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now