© 2024 SkillPoint IT. All rights reserved.
Module 6: Designing an Active Directory Domain
Learn how to design an efficient and scalable Active Directory domain structure that meets your organization’s business, security, and administrative requirements.
Key Concepts Covered:
1. Understanding Domain Design Principles
What is a domain in Active Directory?
Why proper domain design is critical for large environments
Factors that affect domain structure: geography, business units, autonomy
2. Designing a Single vs. Multiple Domain Structure
✅ Single Domain Model:
Easier to manage
Lower replication overhead
Centralized policy control
✅ Multiple Domain Model:
Used for different security policies or legal boundaries
May reflect business or geographic boundaries
Higher complexity and replication costs
3. Domain Naming Strategy
Choose DNS-compliant domain names
Match internal AD domain names with external DNS only when required
Avoid using non-routable names like
.local(deprecated)
4. Impact on Replication and Authentication
How domain boundaries affect replication traffic
Trust relationships between domains
Authentication traffic considerations
5. Administrative Delegation
Use domains to define security boundaries
Limit who has domain-level control
Avoid unnecessary domain creation—use OUs instead for delegation
6. Domain Functional Levels
Select based on the lowest OS version of domain controllers
Higher levels = more AD features (e.g., fine-grained password policies)
| Functional Level | Supported OS |
|---|---|
| Windows Server 2008 | Legacy support |
| Windows Server 2012/2016 | Modern features |
| Windows Server 2019/2022 | Latest, most secure |
Identifying Business Needs
- Before Designing a Domain, You Should:
- Identify Administrative Strategy
- Identify Security Needs
- Plan for Growth and Flexibility
Designing the Initial Active Directory Domain
Planning for Security Groups
Learn how to plan, design, and implement effective security groups in Active Directory to streamline user management, enforce permissions, and enhance enterprise security.
Key Concepts Covered:
1. Purpose of Security Groups
Assign permissions to shared resources (files, folders, printers).
Control access to applications and network services.
Apply Group Policy to users/computers efficiently.
2. Types of Active Directory Groups
| Group Type | Use Case |
|---|---|
| Security Group | For granting resource access & assigning permissions |
| Distribution Group | Used only with email applications (e.g., Exchange) |
- Deciding Which Security Group to Use
- Universal Group
- Members from any domain in the forest
- Use for access to resources in any domain
- Global Group
- Members from own domain only
- Use for access to resources in any domain
- Domain Local Group
- Members from any domain in the forest
- Use for access to resources in one domain
- Planning for Nested Groups
- When Nesting, You Should:
- Minimize Levels of Nesting
- Document Group Membership
- Design Guidelines
- Add Users to Global Groups
- Add Global Groups to Domain Local Groups
- Assign Permissions to Domain Local Groups
- Designing Security Groups in Active Directory
Designing security groups involves structuring and organizing users, devices, and permissions in Active Directory to ensure secure, scalable, and efficient access to network resources.
Purpose of Designing Security Groups:
✅ Streamline access control
✅ Simplify permission management
✅ Enforce security policies effectively
✅ Support role-based access control (RBAC)
Core Design Principles:
1. Use Role-Based Design
Group users based on job roles or responsibilities (e.g., HR, Finance, IT Support).
2. Follow the AGDLP Model
Accounts → Global Groups → Domain Local Groups → Permissions
Add users to Global Groups
Add Global Groups to Domain Local Groups
Assign permissions to Domain Local Groups
Planning for Organizational Units (OUs) in Active Directory
Planning for OUs involves designing a logical structure within Active Directory to organize users, computers, and other objects based on administrative needs, policies, or business functions.
Purpose of OU Planning:
✅ Delegate administrative control
✅ Apply Group Policies effectively
✅ Reflect the organization’s structure
✅ Improve manageability and scalability
Key Planning Considerations:
| Criteria | Description |
|---|---|
| 📌 Delegation | Determine which OUs need separate administrators |
| 📌 Group Policy | Plan OUs to target specific GPOs without inheritance conflicts |
| 📌 Structure | Align with organizational hierarchy, geography, or function |
| 📌 Simplicity | Avoid overly deep OU structures that are hard to maintain |
Common OU Design Models:
1. Geographic Model
OU structure reflects physical locations (e.g., Asia, Europe, North America)
2. Organizational/Departmental Model
Based on departments (e.g., HR, Finance, IT, Sales)
3. Hybrid Model
Combines geography and function for more granularity
4. Object Type Model
Separate OUs for object types (e.g., Users, Computers, Groups)
- Planning Upper-Level OU Strategies
- Planning Lower-Level OU Strategies
- Design Guidelines
- When Designing the OU Structure:
- Choose Stable Upper-Level OU Names That are Meaningful to Administrators
- Create Lower-Level OUs to Support Group Policy
- Test the OU Structure and Make Changes Based On Evaluation
Add comment