AD design question. 2 Domains vs. 2 OUs




I need to set up a forest with two separate areas, one for for East
coast corporate and one for West coast corporate, each with their own
IT staff.

Due to geography, the admins we have etc, I want each IT staff to be
able to manage their own environment, including adding users,
machines, printers etc. without being able to modify the other
environment. Also, there will be a few shared resources between the
two offices.

My question is this: I would rather not set up two domains, since I
understand that I would then need one server plus a "backup" domain
controller at each site, making it 4.

Can I segment the organization by OUs, and create admins that apply
only to one OU which have the ability to add/remove machines and do
everything else an admin would?

Thank you,





Hi there,

Usually you are better off going with OUs and delegations to do what you are
looking for. You want to avoid the administrative burden of the multiple
domains if you can to streamline your operations.

The guideline for creating new domains is:
1. Administrative or regulatory fiat
2. Geopolitical boundaries (Putting a DC in China where their laws might
force you into certain configurations)
3. Requirement for different security policies (different password or
communication security rules)

Hope this helps!



Brian Desmond [MVP]

You can delegate these rights over OU trees. Your admins at these sites will
not be domain admins, just members of groups which you delegate the
appropriate rights over a tree to.

Brian Desmond
Windows Server MVP - Directory Services

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question