Slashdot Mirror
Active Directory - Organizational Units or Discrete Domains?
flosofl asks: "I work for a large (1,000+ emp.) company and will be in charge of its Active Directory implementation. Our company is in turn owned by a much larger corporation (15,000+ emp.), but we are for the most part autonomous in terms of managing our internal IT dept. Since the larger corporation has ADS in place, they want us to roll in as an OU in their domain (xxx.com). I want to be a child domain (yyy.xxx.com). The SAP portal relies on LDAP and we are told it would not work correctly with a multi-domain model. I on the other hand want total control over MY domain (yes, I know as a parent domain they could do what they want - the illusion is enough). My question is, has anyone been in this type of situation before? How did you resolve it, and did it work? I am worried I am reacting more from a 'you can't play with my toys' than a legitimate tech/business reason. I want to use the method that will work best (which may not be the one I want). Any comments would be appreciated."
I work with Enterprise Management Software in a huge and diverse environment and have seen from experience that in the end it is easier for everyone to consolidate environments and services whenever possible.
Also, since you indicated that applications require you to use the OU model, you should use it.
Talk to the AD admins and get them to grant you administrative authority over everything within your OU. You might even be able to offload some of the more menial roles that you perform to the larger IT group.
Conformity is the jailer of freedom and enemy of growth. -JFK
If your organizational structure is autonomous as you say it it, and the AD implementation isn't being done in conjunction with some sort of hierarchical reformation in the Enterprise, the more elegant solution is to become a Tree in the AD Forest - not a sub-domain but another domain inside the AD Forest. This saves you from a lot of administration headaches caused by several geographically distributed administrators trying to perform policy-based user administration in the vaious domains - especially because the OS has no real good way of logging administrative activity (no rcs functionality) so you can spend all day trying to understand why Joe can't print and it turns out to be caused by a policy change initiated in Witchita, or whatever, where his primary OU has most of its staff.
Obviously if your Enterprise IT dept can't or won't do the schematic work required to create an AD Forest with multiple trees, or your vendor's can't or won't ship an SAP product that supports them, you are screwed and will end up as another OU in the AD.
Being a sub-domain in a single tree is just a bad idea all around for this circumstance - its not like you want to have a truely subordinate entity with local administration like a research lab or a test network.
Perhaps I am missing something, but it sounds like a really bad idea. It's of course technically possible to bridge the LDAP between two domains (or forests for that matter), but without more knowledge of the portals LDAP requirements -- and with full knowledge that in a subdomain your additional security is a façade anyway, I wouldn't bother.
Just my 2 cents.
Or at least let them know that domain-component directory hierarchies are stupid++. And don't stop with LDAP, go with X.500 as your core directory service system and hang an LDAP front end on it for clients that need it. It's a damn shame MSFT embraced and extended directory services (along with Kerberos), having had no interest or input in to naming schema until it was time to extend their monopoly. Never mind years of work that was already in place, obviously MSFT ActiveDirectory was so important and ground-breaking it had to have it's own namespace.
Bitter, but true. After all, we can only consider `us' (the unsinkable Microsoft) and `them' (the mysterious `them' that Microsoft employees and syncophants chant about killing during their rallies).
Off topic? But we're on SlashDot! (-:
Got time? Spend some of it coding or testing
Yah, and Microsoft is going away as well. Right? Reality is that the ONLY LDAP directory out there that really is useful for Windows OS is ..... Active Directory.
Sorry, but I have to say it.
DUH.
You would only really need another domain if the namespace needed to be different and/or you needed to upgrade in place a legacy domain without merging it with the parent domain. You could gain control over your OU and reset the ACLs on the OU so that only your OU administrators had access. Some things like domain admins, enterprise admins, and schema admins you would not have control over. To be honest, if you are not familar with Active Directory then hand the responsiblity of maintaining the domain controllers and the active directory databases over to a central group that will be focus on that task. Maintaining Active Directory is more like Exchange or SQL database management.
Maybe. If so, AD users will find themselves standing on thin air over a cesspit at the time. Either way, sooner ot later AD will be a dead end. Trust me on this one, Microsoft will obselete it one day, and force users into The Next Great White Hope<*>, whatevere that turns out to be.
He doesn't say that they're an all-Borg shop, or that they need to continue to be if they are.
Using OpenLDAP (any decent LDAP, really), he could be both an OU and a child domain at the same time, no worries, no major management hassles as long as no dweeb dicks with the LDAP directory by hand.
<*> read `Hope' as `Elephant' and there you have it. Microsoft sell a lot of Stone Soup.
Got time? Spend some of it coding or testing
I am sorry, but I will take Microsoft and it's business practices over ANY open source "product". Open source has and will always be a toy for those of use with too much time on our hands. I have experience with many flavors of companies and OSs. Some are sweet and drive fast. Some may go slower, but always get me where I am going. Cisco and Microsoft are not my best friends. They are also one of the major reasons why high tech is a player in today's economy. They market and listen to people who BUY stuff. Like my customers who pay for my services. Sorry for the rant, but I have to deal OpenSource drones all the time. They can not get jobs!
It solved a lot of problems (users coming to our labs, our users going to other departments) and wound up being worth the hassle.
You will find cases where having a group-wide tree is more useful than having the full, exclusive control you might get from a seperate AD tree, so join them. I'm not sure exactly how to join as it's been about 3 years since I looked at AD forests & trees, so I'll let others guide that.
take cluestick
weild cluestick
If that little piece of crackspeak were true, what are IBM doing supporting it? Why do Google use it exclusively? Why are Linux-based supercomputing clusters filling up the top 500? Why are Fortune 500s like Merryl Lynch contributing to it?
Thank you for playing, here's your gold-plated tie pin, now nick off.
That's right, and take them out to dinner to woo and weasel and promise (lie to) them whatever they need to promise to get more money out of them and stick more control into instead of spending that money and effort in making the whole computing scene better by letting go of their stranglehold. And funny you should mention Cisco, 'coz one of their products is a PC running Linux. And if FOSS is so useless and dangerous, why do Microsoft ship it? Gotcha gold pin, have you? Here's the door, have a nice life.
The problem here is that most of them spend so much time working that they have none left for overt advocacy, writing up proposals, answering the queries from pollies etc (and the snowballing interest in FOSS). This in a country (Australia) that Microsoft are grooming as a showcase for their technology (part of why Stevie flew across to jolly Telstra along). We've just today had another meeting with a pollie falling over themselves to learn the best ways of integrating FOSS into government IT.
Microsoft claim to want a level playing field. We claim to not want an 800lb gorilla playing on it with us mere mortals ('coz it'll pound us level with the playing field politically and financially if it does). Regardless of the politics, the Open Source software job market is booming. Kids want to be more than a George Jetson reboot-button jockey, and FOSS is an unbeatable way to escape that dead end.
Sorry, you're still here?
apply cluestick to luser; wield LART
Got time? Spend some of it coding or testing
I worked in a medium sized division of a large company and we were in the exact same situation. I had the same concerns that you do. We ended up collapsing into an OU and have not looked back. There are several services that get consolidated as well. For example, you would (probably) no longer have to support domain controllers if you went into an OU. Also, there is very little that can be done with a domain that can't be accomplished with an OU (password policy is one).
Having just been through a consolidation of 4+ NT4 Domains (1000+ users) to a single AD installation last year and the addition of an additional Child Domain overseas within the last 6 months I can say that there is really only one reason to consider using a child domain instead of OUs, and that reason is replication.
All DC's in a domain have an exact copy of the AD structure and it needs to be replicated fairly often for the domain to function correctly. We decided to make a child domain overseas because it really cuts down on the amount of replication traffic between the sites and will allow the child to still run well even if the overseas link is down for any substantial amount of time.
As long as you have a good (1/2 T1+) stable connection between all the different locations all other administrative functions can be delegated at the OU level, policy inheritance can be blocked and there really is no reason to use a child domain instead of an Organizational Unit.
"Because I have balls like atom bombs, two of them, 100 megatons each. Nobody fucks with me."
I would go the route of being a tree(or as you put it subdomain) within their active directory forest. If they built their AD correctly in the first place it should be a snap to make your NT Domain part of their forest. In fact its even easier now with the release of Server 2003, if makes the whole relationship much more robust, and allows established domains to easily join the forest....
Why this solution is Ideal...
1. You still own your domain, and have complete control as you always have.
2. The larger entity, also has control since they are higher up, any thing at their level can flow down to you as an integrated entity, if need be...
3. An OU's purpose is not to for containing entire subdivions of a company as your relationship seems to be...an OU is just that Organizational Unit...so you divide your domain up into the company departments with them....
4. This will become especially important for using SMS if you folks desire...particularly if you impliment SMS 2003, or whatever the next version beyond 2.0 ends up getting called since its heavily AD oriented...
Only other questions, e-mail me, we have been down all these roads here, and can probably provide insights if you wish...
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Its important to rememeber that MS has been working on AD for a long time, when NT4.0 shipped the project to build AD had already started. Infact at one point they even planned to ship it as an add-on to NT4.0. They had to create alot of the AD, before people had really beguan to put alot of effort into other x.500 standards...
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Good point. Please also keep in mind that AD was created by the same enigneering group that created the exchange 5.5 and earlier directory services. While it is a different product that the older exchange directories, it's not exactly a "1.0" release. My Company implemented AD more than a year ago. We have 4 domains, the top level just containing enterprise resources, and the 3 regional subdomains. All sites within the 3 regions, (North America, Central Europe and Asia Pacific), have OUs. This has worked very well for us. We're currently rolling out Exchange 2000, Exchange Conferencing and Exchange IM as well as unified messaging, (I'm the E2k Admin for the Americas). The OU admins are able to do just about everything within their OUs, but at the same time, people using Ad or any consolidated management structure have to realize that nothing exists in a vaccume. You could get a different Domain Tree, or forest, but the size of your company in relation to the size of the parent company don't really warrant it, otherwise the political players in other Business units will whine for the same thing. I think you should be satisfied with an OU..... Also As I've lived thru this type of situation and if I may give some advice, you don't want to be the one standing in the way of the corporate initiatives. Learn as much as you can, and perhaps try to get into the group that is manageing the entire environment if you feel you're level of rights or job security is at risk. Just my $.02
We had one child domain here, and I'll never do that again! It was on a T1/384 frame, and it would lose site of the other AD servers quite frequently. The building would remain functional, but I could see the errors, sometimes not even being able to find it in network neighborhood, esp from Win 9.x machines. We finally got a new server, so I was able to move everything off of the old one and take the domain out. What a pain! And it has still taken a bite out of our AD and DNS. (our roles master just went south right after that - and I am now putting in a new, more powerful server to move the roles over) I have errors now that I didn't have before. Even though the network appears to be fully operational, and the end-user doesn't see what I see, certain DNS tests fail:
netdom reset domainname
The RPC server is unavailable
netdom reset 4.0servername
access denied
It especially kicked our last 2 4.0 servers off, killing the trust. These were non-essestional servers, and I was in the process of converting them anyway, so I could deal with this, but it was still a pain.
There is no reason why you shouldn't have full control over your own OU. And besides, even with a Child, it all shows up in the same AD anyway. You will see them, they will see you - so don't delude yourself into thinking that might give you any additional control.
Generally, Domains should be used for geographically distinct locations. OUs should be used for logical subdivisions within the same geographical location.
However, if you need different password policies, you need your own domain.
10b||~10b -- aah, what a question!
Don't worry about it. Sounds like they are going to do what they like, with an OU they can still assign you permissions for full control.
Not the best solution it will cause lots of unnessecary replication (even with sites setup)
A tree in a forest still shows up as:
xyz.domain.com how else would the naming convention work?
ldap should work either way. sounds like the other company jsut wants to remove some of your rights
This may have been stated other places, but in general, I start with two domains, an "empty" root and a child that contains everything. I only add domains if there is a good reason to do so. Wanting to have a domain is not a good reason. Some good reasons are:
- Need to have different password policies (these are only configurable at the domain level).
- Replication issues that cannot be handled through the site topology.
You don't really talk about what is being put in this OU, is it your users' accounts, their workstations' accounts, security or distribution groups, your servers, or what? The OU model needs to be driven by your administrative model. Does your IT area handle all user provisioning? Email account creation (I assume you are an Exchange 2000 shop)? As someone else said, it may not even make sense for you to keep all of the possible AD objects within your OU, some may make more sense to turn over to the larger group for centralized management.
Good question and a very valid concern though!
Left shift 1 for e-mail...