Active Directory structure - OU's

[Guest]

Currently we have an OU structure which only displays Computer and User
accounts for each of two sides of the company. It would be much easier to
deploy software and administer the environment if we could change our
structure to display specfici dpeartments and organize our comp. & user
accounts accordingly. However, it was discussed within our team that creating
additional OU's would affect Active Directory performance. I guess in the
structure we are looking at creating two more levels of OU's. At what point
does adding OU's to the structure effect performance? How can we measure? Any
suggestions or information which gets us int he irght direction would be
greatly appreciated.
Thank you

 

[Herb Martin]

Currently we have an OU structure which only displays Computer and User
accounts for each of two sides of the company. It would be much easier to
deploy software and administer the environment if we could change our
structure to display specfici dpeartments and organize our comp. & user
accounts accordingly.

However, it was discussed within our team that creating
additional OU's would affect Active Directory performance.

Not enough to matter unless you go crazy with thousands or
stack them 12+ deep or some other pathological case.

Active Directory was DESIGNED to do precisely what you
propose.

I guess in the
structure we are looking at creating two more levels of OU's.

You will likely see NO PROBLEMS.

Structures of 3-5 deep are common and matter little. It is really
the APPLICATION of GPOs that may (in more extreme cases)
cause the slow downs someone has incorrectly scared you with.

At what point
does adding OU's to the structure effect performance? How can we measure?

Any

General GUIDELINE (not a rule): If you are stacking more
than 10 GPOs (not necessarily OUs) on a single user or machine
you might be especially careful to measure the performance.

This doesn't mean that 11 is terrible, or that 9 will always meet
your needs.

You could (theoretically) stack 12 GPOs by putting 3 on the
Site, 3 on the Domain, 3 on each of a Parent and Child OU,
but while 3 OUs on a container is not unusual, it would be
rare to see three on EACH container.

Notice this example would only be 2 deep and might be worse
than a structure 5 deep with one per OU.

suggestions or information which gets us int he irght direction would be
greatly appreciated.

Try it -- if you are dealing with a large domain or extreme
WAN issues then be very sure to try it in a lab or over a
non-critical time period.

Also make sure that your replication is pristine before doing
such things because then if you don't like it, you just disable
or remove the offending GPOs.

Example of how to create a problem (in a big domain/wan):

Replication to South American sites is ONCE per day (and
doesn't always work) -- you do something silly, e.g., 20 GPOs
assigned to the domain, it replicates tonight.

Tomorrow, SA calls, their angry about performance, and you
fix it -- but it doesn't replicate until tomorrow, or maybe
another day or two....

 

[Joe Richards [MVP]]

I would agree, it is the nesting of GPOs that really bite you when having a deep
OU structure. Otherwise Windows really doesn't care. The database is flat, not
hierarchical, it is just presented hierarchically(sp?).

joe