A Plumber's Confessions

The blog of Doug Lawty, Microsoft Services Infrastructure Consultant


Designing your Active Directory deployment in under a minute

  • Comments 1
  • Likes

Dana Epp came down from the Great White North to attend the Microsoft Security Summit in Seattle. He seems to have enjoyed himself. I'm glad.

In the afternoon sessions Dana saw a presentation by Steve Riley. Steve is a very dynamic speaker and, if you have the chance, you should go hear him.

I didn't see Steve's presentation, and Active Directory design doesn't seem to be on the slides, but apparently Steve showed you how to reach a design in 30 seconds. Here's how Dana wrote it up:

“I have been wrestling with Active Directory stuff as of late, and I enjoyed Steve's 30 second AD structure. Some organizations take weeks, months even years as they try to organize an Active Directory structure that fits in with the politics of the organization. Steve gives us a quick way to deal with it:

  • Forests and Domains = Physical geography
  • Organizational Units = Administrative Model
  • Security and Distribution = Organizational Chart”

In general, I think that's good advice. I'd only like to add a few more seconds onto your planning process and ask you to consider a couple other items...

More companies will now choose multi-forest deployments because of better understanding of the security issues. It's important that features like cross-forest trusts and tools like the Identity Integration Feature Pack make managing multi-forest deployments much easier.

(Multiple domains may still useful if you have severely restricted connectivity to some of your sites. AD replication is pretty efficient, though, and bandwidth is always getting cheaper so this is less of a concern everyday.)

Using OUs for the role-based application of policy is a pretty good practice. You'll need to balance this with your use of OUs to delegate administration. You may naturally discover that your computers fall into one OU design useful for security group policy and your users fall into a different OU design useful for delegated administration.

There you go. Everything you need to know to design your Active Directory deployment -- if not in 30 seconds for sure in less than a minute! (Of course, if all else fails, you could always engage me to help.)

  • I saw Steve here, in Singapore, while he gave his presentation at Microsoft Secure to Survive Summit and must say that “should go hear him” is something worth to do indeed.