AD Design

[Mark Darbyshire]

All - does this sound good to you.

A rather large company (10's of thousands of users) have decided to rename
the "Users" OU to "Standard Users" and then plonk all of the users for an
entire Active Directory into it - no OU structure at all..... Not only this
but 12 DC's to support the lot over 250+sites and they think this will work
ok??? To add to this the fact that they are implementing group policies
based on group membership and not on OU membership - it all seems very wrong
to me.

So, best practice - is this a good idea I ask?

I think this is probably not the right thing to do and it should be a
structure based on OU's adding the group policy's to each of the OU's
otherwise we'll have a lot of admin on our hands removing people from groups
and adding them to new ones if they move site for instance. I think also
that if we slot the DC's into the correct places of the OU structure then we
can cut down replication?? Besides - with a flat structure such as this you
can't delegate administration can you. As a last thing then - no Exchange
but likely within 12 months - how will this affect this daft idea?

Anybody have any pointers for me please they would be greatly appreciated
for when I go bash somebody over the head!!

Many thanks,

Mark.

 

[Tomasz Onyszko]

All - does this sound good to you.

A rather large company (10's of thousands of users) have decided to rename
the "Users" OU to "Standard Users" and then plonk all of the users for an
entire Active Directory into it - no OU structure at all..... Not only this
but 12 DC's to support the lot over 250+sites and they think this will work
ok??? To add to this the fact that they are implementing group policies
based on group membership and not on OU membership - it all seems very wrong
to me.

For me also

I have "under my hands", in one of the projects, similiar network but
slightly better in design I think (but not perfect). In my network there
is 11k+ of users and about 5k+ computers, there is 300+ sites. We also
have flat domain structure but users and computers are separated between
OU in geographic structure. Our servers also are separated in different
OU's based on their roles in network. This is not a perfect way but it
allows us to develop flexible GPO's configuration for users and computers.

So, best practice - is this a good idea I ask?

I think that this network is not a good examle of AD design:

1'st - I don't know evertyhing about this network but 12' DC is not
enough to provide users with failure-aware environment in 250+ sites (I
assume that this sites are spread geograhpicly)

2'nd - management of GPO based totaly on group permissions is realy
crazy with that number of users. It can be used to exclude some users
from the range of GPO but not as primary management tool

3'rd - I don't know how replication in Your network works right now,
with such number of objects replication traffic can generate significant
traffic volume. Replicating data in standard KCC generated topology can
be not very good idea.

I think this is probably not the right thing to do and it should be a
structure based on OU's adding the group policy's to each of the OU's
otherwise we'll have a lot of admin on our hands removing people from groups

numbers of GPO's and the places where they are binded to directory is
based on Your bussiness and management needs - OU's design should be
also based on Your organization needs and strutcure to easy identyfi and
manage users and computers with similiar configuration / properties.

and adding them to new ones if they move site for instance. I think also
that if we slot the DC's into the correct places of the OU structure then we
can cut down replication?? Besides - with a flat structure such as this you
can't delegate administration can you. As a last thing then - no Exchange

Forget about efective delegation in this network

but likely within 12 months - how will this affect this daft idea?

Once again, I don't know much about network but - AD design is not a
primary concer with Your Exchange deployment - Exchange will utilize AD
in the way it is deployed, but what You have to care about is
avalibility of Exchange service for your users. Once again I use example
of my network - there is one central location, and several (less then
20) main locations, to this locations branch offices are connected. We
hav deployed Exchange server in each of main location, which are sending
e-mail through Exchange servers placed in central locations. So main
offices are working as a hub's for branch offices, and central location
is hub for this main locations.

Anybody have any pointers for me please they would be greatly appreciated
for when I go bash somebody over the head!!

I think You shoul read this document:
http://www.microsoft.com/downloads/...C3-185E-4644-9E98-4876B2A477E7&displaylang=en


So IMO this network You are talkng about is:
- not easy to maintain and manae
- not good in terms of protecting users environment and protecting
network from failures
- producess a lot of administrative overhead for managing it


I hope my english is good enough to explain what I was thinking about

 

[Eric Chamberlain, CISSP]

Your design would depend on how unique your users are. We have 40,000 users
in a single OU, because they are all treated the same, shared by
departments, and centrally managed. OU Admins then manage computers and
non-shared users.

The immediate problem I see with your design, without more information about
the organizational structure is that the Users container is not an OU, and
therefore can't have GPO's applied to it.

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu

 

[Mark Renoden [MSFT]]

Hi Mark

I think the best answer here is to refer to the numerous guides published on
the Microsoft web site and consider how the advice in these applies to your
environment. An example of one such guide is:

http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp

An excellent source of Windows Server 2003 material is:

http://www.microsoft.com/technet/pr...logies/directory/activedirectory/default.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Laura A. Robinson [MVP]]

circa Mon, 7 Jun 2004 22:27:28 +0100, in
microsoft.public.win2000.active_directory, Mark Darbyshire
([email protected]) said,

All - does this sound good to you.

A rather large company (10's of thousands of users) have decided to rename
the "Users" OU to "Standard Users" and then plonk all of the users for an
entire Active Directory into it - no OU structure at all..... Not only this
but 12 DC's to support the lot over 250+sites and they think this will work
ok??? To add to this the fact that they are implementing group policies
based on group membership and not on OU membership - it all seems very wrong
to me.

So, best practice - is this a good idea I ask?

This is a disaster. Whoever came up with this needs a LOT of
education about AD. You can tell 'em I said that. ;-)

Laura

 

[Enkidu]

Your design would depend on how unique your users are. We have 40,000 users
in a single OU, because they are all treated the same, shared by
departments, and centrally managed. OU Admins then manage computers and
non-shared users.

Hi Eric, with all users in an OU how do you ever search for them?
Surely every single AD search will result in the message :"Too many
objects. Only x thousands will be shown"?

This is not *my* network, but is one that I know of. Admittedly I have
far fewer users <grin>, but I still can't imagine searching the
*whole* or major part of the directory without utilising the OU
structure.

Cheers,

Cliff

 

[Darbs...]

Laura - exactly my thoughts - and I have already made this comment that fell
on deaf ears.

Enkidu - you've also hit the spot - currently very few users in comparison
to how this will be in a few years and we already get this - te he......

Everyone else - thanks for the comments - I'll do some more reading up more
now!!!

So for my next question the which is really the reason for the post -
anybody ever been in this situation and had to convince others that this is
probably not a goot situation. I think I've a battle to fight that needs to
be done convincingly from the start, but, I don't know where to start with
writing such an beast.......

Thanks,

Darbs....

 

[Sean Siler]

Eric -

In 2003, you can convert the users container to an OU so you can apply GP to
it.

He didn't specify if this was 2K or 2K3, but at least that is possible.

BTW, what a mess. They need help quickly.

-Sean Siler
MCSE, MCT

 

[Sean Siler]

Enkidu,

This, too, is an option in the MMC. You can change it to a larger number if
you have a large number of objects in your OU.



Sean Siler
MCSE, MCT

 

[Jimmy Andersson [MVP]]

I agree with Laura, this is an administrative disaster.
You should ask the designer if he/she would like to administrate this, I
sure wouldn't....

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Jimmy Andersson [MVP]]

See this URL for more info on design:
http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDSS_overview.asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

I agree with Laura, this is an administrative disaster.
You should ask the designer if he/she would like to administrate this, I
sure wouldn't....

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

circa Mon, 7 Jun 2004 22:27:28 +0100, in
microsoft.public.win2000.active_directory, Mark Darbyshire
([email protected]) said,

only

 

[Eric Chamberlain, CISSP]

Hi Eric, with all users in an OU how do you ever search for them?
Surely every single AD search will result in the message :"Too many
objects. Only x thousands will be shown"?

We use the MMC search features and search for a user based on UPN, drilling
down through the OU structure takes too long and results in too many
objects.


--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu

 

[Enkidu]

Ah, OK Thanks.

Cheers,

Cliff

Enkidu,

This, too, is an option in the MMC. You can change it to a larger number if
you have a large number of objects in your OU.



Sean Siler
MCSE, MCT

 

[Mark Darbyshire]

Laura (and others) - your all stars

I passed on your comments and mine - now I'm being taken seriously - MS
consultants have been commissioned to do an internal report for this
customer by July 5th and hopefully they will assist in my cause to get this
bag of nails sorted out......

A big thanks to you guys for your input here........

Darbs.....