Optimal Active Directory Structure
I present to your attention the optimal structure of Active Directory, which is used by many large companies. Sometimes the number of employees around the world in such companies reaches 10,000 people. Naturally, such large companies use a domain tree divided into countries or continents.
For example:
- Root domain - heyvaldemar.net
- Child domain - canada.heyvaldemar.net and ireland.heyvaldemar.net
Moreover, the structure of each domain in the tree is the same.
The domain structure is divided into cities:
- Toronto - City of Toronto
Cities are divided into organizational units by objects:
- Groups - groups
- Servers - servers
- Service - accounts to run services
- Users - user accounts
- Workstations - workstations
Groups are divided into organizational units according to the scope of the groups:
- Local - local groups in the domain
- Global - global groups
- Universal - universal groups
- Distribution - distribution groups
Servers are divided into organizational units by service:
- Disabled - disabled and decommissioned servers
- Exchange - servers on which Exchange Server is deployed
- File - servers with shared and confidential network resources
- Normal - member servers that do not require separation by services
- Print - servers with shared printers
And so on, depending on the need to separate the servers by services.
Service accounts are divided into organizational units by role:
- Disabled - disabled service accounts
- Normal - ordinary service accounts
Users are divided into organizational units by role:
- Admins - accounts with extended rights
- Disabled - disabled user accounts
- External - accounts for contractors and other freelancers
- Normal - ordinary users who do not require separation by roles
And so on, depending on the need to divide users by roles.
Workstations are divided into organizational units based on user roles:
- Admins - workstations that use accounts with extended rights
- Disabled - disabled and decommissioned workstations
- Normal - ordinary workstations that do not require separation by user roles
