Site OU's and DC's

[Guest]

Morning all,

I had a rather odd problem yesterday after rejigging my AD. We have three
sites connected by high speed (well moderate) VPN's. Site A has a 2MB SDSL,
Site B has a 2MB DSL and Site C has a 2MB Leased Line. Site A is the head
office and has 2xDC's, 2xMember, 1xExch2K. I have created site for each site
and subnets etc. The 2 Site A DC's are in the Domain Controllers OU, the
rest of the PC's and servers in the organisation are in their specific site
OU's. Yesterday I moved the two DC's in to their site OU and everything
stopped working. WHen I moved them back everything worked again.

Two questions really. Should DC's at the two sites be in the DC OU or is
there a problem with my AD as I was under the impression I could move these
DC's to the Site OU without a problem.

Thanks in advance.
Mike

 

[Jorge de Almeida Pinto]

Simple answer: Do NOT move the domain controllers out of the scope of the
domain controllers OU!. It is expected to have the DCs in that location!. A
sub OU of the domain controllers OU is the maximum what you can do. On the
domain controllers OU a GPO is linked called default domain controllers GPO
and that must apply to the DCs

E.g. DCDIAG expects to see the computers accounts of the DCs in the domain
controllers OU

 

[Herb Martin]

Morning all,

I had a rather odd problem yesterday after rejigging my AD. We have three
sites connected by high speed (well moderate) VPN's. Site A has a 2MB
SDSL,
Site B has a 2MB DSL and Site C has a 2MB Leased Line. Site A is the head
office and has 2xDC's, 2xMember, 1xExch2K. I have created site for each
site
and subnets etc. The 2 Site A DC's are in the Domain Controllers OU, the
rest of the PC's and servers in the organisation are in their specific
site
OU's. Yesterday I moved the two DC's in to their site OU and everything
stopped working. WHen I moved them back everything worked again.

Two questions really. Should DC's at the two sites be in the DC OU or is
there a problem with my AD as I was under the impression I could move
these
DC's to the Site OU without a problem.

Do NOT move the DCs out of the DC OU -- last time
I tried this even by moving it to a CHILD of the DC OU
(like DC_OU-->Location) it gave terrible results.

One also wonders why you have "Site OUs"? Although
this is sometimes correct it may also indicate a mis-design.

 

[Jorge de Almeida Pinto]

The only thing I have seen until now by moving DCs to a lower level OU
(DCs_OU -> location) is DCDIAG saying that the computer accounts are not in
the DC OU.

What are your experiences Herb? What errors> What went wrong? Can you
elaborate on that?

Although other methods exist (like using group filtering) I don't believe it
is mis-design, as there may be a need to have different GPO setting for DCs
at different location (e.g. not registering domain wide DC locator records)

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Morning all,

I had a rather odd problem yesterday after rejigging my AD. We have
three
sites connected by high speed (well moderate) VPN's. Site A has a 2MB
SDSL,
Site B has a 2MB DSL and Site C has a 2MB Leased Line. Site A is the
head
office and has 2xDC's, 2xMember, 1xExch2K. I have created site for each
site
and subnets etc. The 2 Site A DC's are in the Domain Controllers OU, the
rest of the PC's and servers in the organisation are in their specific
site
OU's. Yesterday I moved the two DC's in to their site OU and everything
stopped working. WHen I moved them back everything worked again.

Two questions really. Should DC's at the two sites be in the DC OU or is
there a problem with my AD as I was under the impression I could move
these
DC's to the Site OU without a problem.

Do NOT move the DCs out of the DC OU -- last time
I tried this even by moving it to a CHILD of the DC OU
(like DC_OU-->Location) it gave terrible results.

One also wonders why you have "Site OUs"? Although
this is sometimes correct it may also indicate a mis-design.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in advance.
Mike

 

[Guest]

OU's are used to control differing login scripts for each site basically.

So, are you saying that ALL DC's should reside in the DC OU?

Thanks,
Mike

The only thing I have seen until now by moving DCs to a lower level OU
(DCs_OU -> location) is DCDIAG saying that the computer accounts are not in
the DC OU.

What are your experiences Herb? What errors> What went wrong? Can you
elaborate on that?

Although other methods exist (like using group filtering) I don't believe it
is mis-design, as there may be a need to have different GPO setting for DCs
at different location (e.g. not registering domain wide DC locator records)

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Morning all,

I had a rather odd problem yesterday after rejigging my AD. We have
three
sites connected by high speed (well moderate) VPN's. Site A has a 2MB
SDSL,
Site B has a 2MB DSL and Site C has a 2MB Leased Line. Site A is the
head
office and has 2xDC's, 2xMember, 1xExch2K. I have created site for each
site
and subnets etc. The 2 Site A DC's are in the Domain Controllers OU, the
rest of the PC's and servers in the organisation are in their specific
site
OU's. Yesterday I moved the two DC's in to their site OU and everything
stopped working. WHen I moved them back everything worked again.

Two questions really. Should DC's at the two sites be in the DC OU or is
there a problem with my AD as I was under the impression I could move
these
DC's to the Site OU without a problem.

Do NOT move the DCs out of the DC OU -- last time
I tried this even by moving it to a CHILD of the DC OU
(like DC_OU-->Location) it gave terrible results.

One also wonders why you have "Site OUs"? Although
this is sometimes correct it may also indicate a mis-design.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in advance.
Mike

 

[Herb Martin]

"Jorge de Almeida Pinto"

The only thing I have seen until now by moving DCs to a lower level OU
(DCs_OU -> location) is DCDIAG saying that the computer accounts are not
in the DC OU.

What are your experiences Herb? What errors> What went wrong? Can you
elaborate on that?

I am sorry that I cannot remember the full details.

It was however ugly, but not immediately catastrophic;
I left it that way for some weeks before deciding it was
a pretty bad idea.

This was under Win2000, some unknown service pack,
and I have no idea if the issues still persist.

Although other methods exist (like using group filtering) I don't believe
it is mis-design, as there may be a need to have different GPO setting for
DCs at different location (e.g. not registering domain wide DC locator
records)

That was my thinking. I can easily understand a need for
having the DCs in the DC OU, although even that should
be strictly due to the Default Domain Controller policy
being linked there -- really that should be linkable to an
new, or additional, "DC OU".

It seems that it should be totally acceptable to put DCs in
child OUs of the DC OU though in any case.

That is just not what I found but unfortunately cannot remember
exactly what happened. It was bad enough though that I
mentally filed it under "Don't do that again." <grin>



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Morning all,

I had a rather odd problem yesterday after rejigging my AD. We have
three
sites connected by high speed (well moderate) VPN's. Site A has a 2MB
SDSL,
Site B has a 2MB DSL and Site C has a 2MB Leased Line. Site A is the
head
office and has 2xDC's, 2xMember, 1xExch2K. I have created site for each
site
and subnets etc. The 2 Site A DC's are in the Domain Controllers OU,
the
rest of the PC's and servers in the organisation are in their specific
site
OU's. Yesterday I moved the two DC's in to their site OU and everything
stopped working. WHen I moved them back everything worked again.

Two questions really. Should DC's at the two sites be in the DC OU or
is
there a problem with my AD as I was under the impression I could move
these
DC's to the Site OU without a problem.

Do NOT move the DCs out of the DC OU -- last time
I tried this even by moving it to a CHILD of the DC OU
(like DC_OU-->Location) it gave terrible results.

One also wonders why you have "Site OUs"? Although
this is sometimes correct it may also indicate a mis-design.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in advance.
Mike

 

[Herb Martin]

OU's are used to control differing login scripts for each site basically.

OUs are more general than this.

OUs are used primarily for two major purposes:

1) Delegate Authority

2) Link Group Policy (which includes scripts)

So, are you saying that ALL DC's should reside in the DC OU?

Yes. He is saying within the DC OU hierarchy and
I am suggesting it is better to keep it literally in the
(top level) DC OU.

 

[Ace Fekay [MVP]]

In

OU's are used to control differing login scripts for each site
basically.

So, are you saying that ALL DC's should reside in the DC OU?

Thanks,
Mike

The Default Domain Controller Policy is linked to this OU and has all those
settings that Herb and Jorge mentioned. Tee DCs require this.

Any specific reason you want to move the DCs out of the DCs OU?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, I would suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx , you can easily find your post and watch &
track threads, sort by date, poster's name, watched threads or subject.

Not sure how? It's easy and you'll enjoy it
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================