Growing a Domain
Planning for domain growth should focus primarily on the way in which new organizational units (OUs) are added to the domain, as well as on which objects reside in which OUs. A mismatch between the way in which the real organization functions and the way in which Active Directory OUs are configured can result not only in poor performance for users, applications, and active network components that use the directory, but it might also result in the directory not being able to function.
Planning the correct configuration for domains and OUs is critical to the successful deployment of any Active Directory plan. Tree structure needs should not only take in to account the existing requirements of the organization but must also anticipate and account for possible changes and growth in the future.
There are two basic approaches to segmenting OUs within a domain. OUs can either be segmented by business function, or by geography. Both of these segmentations, however, are influenced significantly by the way in which the organization plans to administer Active Directory and the degree to which administration of OUs will be delegated and decentralized.
Segmentation by Business Function
Many organizations segment IT infrastructure and administration by business function. For example, every sales unit in every geography is part of a unified sales group that has a single set of access rights for network resources, a unified naming structure for file shares, and centralized, or distributed but unified, administration of the IT environment.
An OU structure designed to map to this segmentation model includes OUs that map to business units of the company. For example, in the case of Wadeware, the following organization issues affect OU configuration:
Manufacturing is broken into business line units.
The sales force is organized into a division that sell to large enterprises, a division that sells to small enterprises, and a division that sells specific widgets from each manufacturing line.
There is a significant focus on acquisitions as a method of expansion for the company. All the information in the acquisitions group must be kept confidential from the rest of the company.
The previously listed organizational issues result in a corporate organizational structure that includes three major divisions: manufacturing, sales, and acquisitions. The manufacturing division is divided in to three groups: design and development, implementation, and distribution. The sales division is also divided into three groups: large enterprise sales, regional sales, and product sales. Acquisitions is a single division. In addition to these three large divisions, there is a fourth division comprising all the back office functions, such as finance, human resources, administration, facilities, and IT. The organizational structure for the organization is represented in Figure 11.1.
What does this type of corporate organizational structure mean as to how the OUs within Active Directory domains should be configured? If the OUs are segmented by business function, the tree structure mirrors the organizational structure of the business. However, it is important to bear in mind that when the OU structure is designed, the OU administration model follows the same design. For that reason, it might be necessary to modify the OU structure to incorporate administration needs, as well as organizational requirements.
Figure 11.1. The corporate organizational structure of Wadeware reflects the way the company does business: the sales force is unified in selling products to large enterprise and to regions.
The administrative model for an organization essentially defines who is responsible for managing resources across the organization. These resources can include users, printers, workstations, and servers. A complex OU structure that mirrors a complex organizational structure lead to a complicated administrative model. In addition, as the OU structure is scaled to meet the growing needs of the organization, the administration of the environment becomes more complicated if the OU structure has not been planned well from the beginning.
For example, in the case of Wadeware, the most obvious OU structure would be to have a three-tiered structure with several OUs. There would be a root OU, for OUs in the primary divisions, and multiple OUs for the divisional groups. If configured this way, the structure would appear as represented in Figure 11.2. This would lead to a complicated administration model as the company grows over time with new company acquisitions and new product development.
Instead of configuring a single OU for every divisional group, a more logical configuration that would result in a simpler administration model as the company grows would be to create a single root OU and four secondary OUs, one for each division (see Figure 11.3). This would provide a structure that would enable the application of group policies and the distribution of administration responsibilities by division, but would also be simple enough that future growth could be absorbed into the existing OUs. New OUs would not have to be created to accommodate company acquisitions or new product developments.
Figure 11.2. This is the OU structure, which would result if OUs were created for each division and each divisional group in Wadeware.
Figure 11.3. A logical OU structure that maps to the organization, and yet provides a simple, centralized administration model.
A simple OU structure, such as the previous one, is easy to plan, implement, configure, and administer. There are times, however, when simplicity is not possible. This might be because of security needs, organizational politics, or simple organization intransigence. Whatever the reason, a more complicated OU structure can certainly be accommodated by Active Directory. However, the planning team should make sure that the project executive sponsor clearly understands that the more complicated the administration model the more costly the administration is.
Segmentation by Geography
The second way to segment the OU structure is by geography. For organizations that have Microsoft Exchange or Microsoft Systems Management Server (SMS) installed, segmentation by geography might appear to be the most logical segmentation. This is because both Exchange and SMS use sites configured by geographic and network segmentation.
In the case of Wadeware, segmentation by geography might also make sense if the IT infrastructure is segmented by geography (see Figure 11.4). However, it is important to remember that segmenting a domain in to multiple OUs does not help to minimize network traffic. All the Domain Controllers (DCs) in the domain have copies of the directory schema and participate in directory replication regardless of the OU structure. Only segmentation of the domain into multiple sites results in a reduction of network traffic or, more accurately, the capability to control network traffic.
Because the configuration of OUs does not directly affect network traffic, it is important to configure the organizational structure with business needs in mind and not with performance as the main goal.
Figure 11.4. This is a representation of the segmentation of OUs based on geography. This might not be the most efficient way to configure the OU tree.
Delegation of Administration
Delegation of administration should not be considered as a primary design goal when designing your OU and domain structure. An OU structure designed only to accommodate specific administration requirements might not scale if a legitimate business need prompts modification. The administrative model for Active Directory should always be secondary to business needs.
However, after business needs are satisfied in the directory design, delegation of administration should be the second requirement considered when designing the OU structure. Delegation might be required for several reasons:
Specific business units in the organization require control of their own user and resource administration. This might be for security reasons or other reasons.
Administration of the IT infrastructure has always been delegated and corporate culture dictates that it remains that way.
Move administration closer to the actual point at which the administrative task originates. This promotes both efficiency and accuracy. It is more efficient to have the team in the organization that manages the phone system actually enter the phone numbers.
Distribute administrative tasks to the least cost resource in the organization. Rather than pay an IT architect or engineer to maintain and modify data in the directory, it is less expensive to have administrative staff migrating data. This can be accomplished by developing specialized administration tools that use Active Directory services interface to manipulate the directory.
Consolidation of administrative tasks. Administrative tasks can be consolidated and then delegated along organizational lines rather than segmented along task lines. For example, the organization might today have individuals who administer the Microsoft Exchange environment and a different set of individuals who administer the Windows networking environment. With delegation of authority across OUs, it would be possible to consolidate all the administrative tasks for both the mail environment and the operating system environment, and then to delegate them by OU.