Active Directory Desgin Question 2

[jrpayne]

I was wondering if someone might be able to give a suggestion about AD design. I work for a county government and this particular counties leaders for a long time have not given technology a really fair shake. Therefore, we find ourselves finally about to move to a Server 2003 Active Directory design. My question is this: as you know we have many different depts and some of those depts have divisions in seperate physical locations. I would like to know from someone who may have done this before how is the best way to desing the ad? Putting depts in OUs and then if there is a seperate location have that in a group in the main ou? I am just not sure of the best way.

Thanks,

Jimmy Payne

 

[PU36]

There is a couple of things that you should consider.

1. How are the sites connected if at all?
2. Creating Separate domains or subdomains for each location requires an admin for each site. (Note: Domains are a security boundary and a replication boundary)
3. How many users are in each site? How many users total?
4. Is there internal email? File Storage on each server?
5. How are backups handled?
6. Anything that had to deal with replication traffic can also hinder/help your design.

Where I work we currently have a central location and 5 different sites. We have a single domain and each location has a local DC and File Server. We have devided the locations into sites and allow replication to occur every three hours. We have between 10 and 30 users in each site, each using Outlook connecting to the central Email server.

However, that is our situation. Each situation is different and just sayind how to do things in "General" is too general. There are too many factors to consider.

 

[pagy]

Rememeber that typically an AD design is based on your administrative requirements.
So say you have an OU for the Accounts department and physically the accounts department is spread over multiple locations, you would still have all Account users under the Accounts OU.
This way you can administrate based on department, this goes for things like Group policy settings, software for certain departments, these can all be applied to the OU.

The above is assuming that you will be administrating from a central location.

Check out these links;

http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

http://www.ciac.org/ciac/documents/MS_Active_Directory_Design_Guide.pdf

I would recommend getting yourself a book on AD design as well, there are several available.

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[jrpayne]

Magnum,

Like I said, we are a county government. We have about 30 sites total most of them either connected by fiber or a link called Metro E provided by our bell company here. Metro E is a 10Mb burstable to 100Mb connection. Each of these sites may have more than department located there. We have approximatley 1100 users and the number of users at each site varies. We do have internal email on Exchange 5.5 which we plan to migrate to 2003 as well. Our backups now are incremental M-Thur with a full on Friday. I guess I am just looking for the best place to start my design as far as OU's and groups are concerned. I would like to be able to drop a user in a container and from that process alone have their applications, printers, permissions etc assigned to them. Maybe I am dreaming a little large LOL.

 

[jrpayne]

Pagy,

Yes I have a couple of books that I am reading through. I have visited both the links that you included. I was hoping that maybe someone had dealt with a structure like mine before and would have an idea of the best way to start. Thanks very much for your post.

 

[monsterjta]

jrpayne, you're not necessarily "dreaming a little". This could happen.

As for as AD sceme goes, you have a couple of basic choices. You can go with a geographical or a departmental structure. Considering the number of sites you have, it MAY be best to go with a geographical type structure. Then, create you security groups to match either departments or applications. This is how you might distribute your applications...by the user's role.

I would suggest defining each site with it's own network, and place a DC at every site that either has more than just a few people or has a slow connection. These sites will be organized in AD Sites and Services by each network, so that users will authenticate to their local DC and not over the wire somewhere.

Anyway, that just a start... You'll need to pick up a book or two and start really familiarizing yourself with all the concepts. There is no clean-cut way of going about it. There could be ten good solutions.

Hope This Helps,

Good Luck!

 

[NickFerrar]

This mostly comes down to a mix of at what levels do you want to apply group policies, delegation and also personal preference.

There is no 'best practice' answer on whether to design OUs by location/team or team/location.

My own design for my company AD was location OUs, they are then sub-divided as group policy requires. We have no need to sub-divide by teams so we don't. We apply some group policies based on office location (but at an OU level rather than at a site level) and we also delegate security for certain location OUs.

If you need to delegate or apply policy based on teams then you should use teams in your AD OU design, if you also want to delegate or apply policy by location you need to include locations in your AD OU design. Whether to first divide by location and then divide by team or first divide by team then by lcoation depends on what and how much you're delegating/applying policy to.

As for one reply saying domains are security boundaries - they are not, forests are the security boundaries within AD.

 

[jrpayne]

Well thank you all for your advice. I am going to get busy with a design.