AD Design Help..needed..

D

Darren D

My company has recently embark on a new challenge, as we all know planning
is key in creating a solid AD foundation. After extensive review of our
enterprise network that consist of over 300 NT4.0 domains, a decision was
made to move to Win2003 AD, with the key items in focus which Win2003 AD
seems to offer.. Domain consolidation, Manageability and Scalability as a
result we are considering a simple design approach.

Our forest design would consist of (2) domains .. The root will contain the
schema , GC .. DC's etc no accounts would be created in this root/domain,
however the child domain will consist of GC, FSMO's DC's geographically
disperse using sites.
My question is we are considering using OU's within the child domain that
will encompass all resources ---Computer accounts, users accounts , printer
etc.
Are there any limits on how many resources an OU can hold ? In addition we
would like to use GPO's to delegate rights to a central help desk and local
admin resources..
The following GPO's below will be created..... Are there any documentation
that I can reference that would allow me to create these GPO's granted that
we are going to use delegation to allow rights..
Group Creation
User/group Rights Admin
Password Reset
User Creation
Computer Adds
GPO Modification
OU MAC
Printer MAC
Naming Standard Updates
AD Structure MAC
Schema Mgmt

Thanks

-Darren
 
M

Mark Renoden [MSFT]

Hi Darren

I'm not sure this is a question easily answered in a newsgroup :) The
following URL is the hub of all things Windows Server 2003 Active Directory:

http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

I'd recommend looking at the following from a security standpoint:

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Delegating Control is covered in:

http://www.microsoft.com/technet/security/guidance/secmod130.mspx

User and Location Management Architecture Guide:

http://www.microsoft.com/technet/itsolutions/techguide/msm/acctmgmt/acmarch/acmarch2.mspx

As far as I know, there's no limit to the number of objects you can have in
an OU. I think you'd reach the limit of managability before anything else.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Darren D

Thanks Mark.. I guess I've some light reading to catchup on..:)
thanks again for the reference articles...
-Darren
Mark Renoden said:
Hi Darren

I'm not sure this is a question easily answered in a newsgroup :) The
following URL is the hub of all things Windows Server 2003 Active Directory:http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

I'd recommend looking at the following from a security standpoint:

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Delegating Control is covered in:

http://www.microsoft.com/technet/security/guidance/secmod130.mspx

User and Location Management Architecture Guide:

http://www.microsoft.com/technet/itsolutions/techguide/msm/acctmgmt/acmarch/acmarch2.mspx

As far as I know, there's no limit to the number of objects you can have in
an OU. I think you'd reach the limit of managability before anything else.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Darren D said:
My company has recently embark on a new challenge, as we all know planning
is key in creating a solid AD foundation. After extensive review of our
enterprise network that consist of over 300 NT4.0 domains, a decision was
made to move to Win2003 AD, with the key items in focus which Win2003 AD
seems to offer.. Domain consolidation, Manageability and Scalability as a
result we are considering a simple design approach.

Our forest design would consist of (2) domains .. The root will contain
the
schema , GC .. DC's etc no accounts would be created in this root/domain,
however the child domain will consist of GC, FSMO's DC's geographically
disperse using sites.
My question is we are considering using OU's within the child domain that
will encompass all resources ---Computer accounts, users accounts ,
printer
etc.
Are there any limits on how many resources an OU can hold ? In addition we
would like to use GPO's to delegate rights to a central help desk and
local
admin resources..
The following GPO's below will be created..... Are there any documentation
that I can reference that would allow me to create these GPO's granted
that
we are going to use delegation to allow rights..
Group Creation
User/group Rights Admin
Password Reset
User Creation
Computer Adds
GPO Modification
OU MAC
Printer MAC
Naming Standard Updates
AD Structure MAC
Schema Mgmt

Thanks

-Darren
Click to expand...
Click to expand...
 
J

Jeremy@gilbarco

There are a few good non-MS resources as well.

Here is a site to get pre-made policies:
http://www.tburke.net/info/regentry/topics/GPRef.htm

Also, remember to orginize OUs by administrative tasks.
They are not seen by anyone but the admins, so use them!
-----Original Message-----
Thanks Mark.. I guess I've some light reading to catchup on..:)
thanks again for the reference articles...
-Darren
Hi Darren

I'm not sure this is a question easily answered in a newsgroup :) The
following URL is the hub of all things Windows Server
Click to expand...
2003 Active
Directory:
http://www.microsoft.com/windowsserver2003/technologies/di
Click to expand...
rectory/activedirectory/default.mspx
I'd recommend looking at the following from a security standpoint:

http://www.microsoft.com/downloads/details.aspx?
Click to expand...
FamilyID=8a2643c1-0685-4d89-b655-
521ea6c7b4db&displaylang=en
Delegating Control is covered in:
Click to expand...
http://www.microsoft.com/technet/security/guidance/secmod13
0.mspx
User and Location Management Architecture Guide:

http://www.microsoft.com/technet/itsolutions/techguide/msm
Click to expand...
/acctmgmt/acmarch/acmarch2.mspx
As far as I know, there's no limit to the number of
Click to expand...
objects you can have
in
an OU. I think you'd reach the limit of managability
Click to expand...
before anything
else.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties,
Click to expand...
and confers no
rights. we all know
planning extensive review of
our domains, a decision
was and Scalability as
a in this
root/domain, the child domain
that hold ? In addition
we there any
documentation

.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

School Design for AD 14
Global groups missing from local group on W2K Pro 2
Creating test environment - need AD help 5
SOX compliant .. different password policy need for privil 7
Sites in AD (cont.) 2
AD design question....again 4
AD Design question 6
AD infrastructure design question 1

Top