Windows – active directory structure and replication for dummies

I have to install an Active Directory environment for our company and it would be the first from scratch installation one for me, so I have questions, basically about the structure.

First some description:

we have less than 100 users (external and internal), so not much
we have offices in different places, in different countries
I have to have domain controllers practically in every office (all in all not more than 10)

My plan and questions:

I want to use one domain for all of the users without subdomains. Am I right? Actually I don't see the advantage of using more domains, not even subdomains.
I want to use Organization Units to separete the different users. See the planned strusctures bellow
Can I replicate only subtrees between DCs? Like OU=country1, OU=Internal, CN=Users?
I saw somewhere an AD where they didn't use the CN=Users for the "normal" users, but a new CN="Company Users" in the root. Is it a common convention? I don't see any good reason to don't use the original CN=Users subtree.

CN=Users
    OU=Internal, CN=Users
        OU=country1, OU=Internal, CN=Users
        OU=country2, OU=Internal, CN=Users
        OU=ADMINS, OU=Internal, CN=Users (The only non geographic group on this level for the company IT administrators)
    OU=External, CN=Users: all the external users
        OU=EXTERNALCOMPANY, OU=External, CN=Users
        OU=OTHERCOMPANY, OU=External, CN=Users

I use Windows 2012R2 if it matters.

Thanks for any response.

Best Answer

Your plan looks fine. Ish.

10 Domain Controllers for less than 100 users is a very high ratio of DCs to users. Strictly speaking, you don't need a Domain Controller at every office.
- Not having a Domain Controller at a site will result in increased traffic across the site link, as a result of authentication and other domain service traffic traversing the link
- Domain services will be unavailable if the site link goes down (which may or may not be a problem for you)
A single domain without subdomains sounds right. Microsoft doesn't recommend the use of subdomains anymore, except in a few rare use cases anyway.
- There's a good answer here for your questions about Child Domains and OUs, and for a that matter, the whole thread is probably worth a look, since you don't seem to have any Active Directory experience.
You cannot selectively replicate OUs between domain controllers. You don't want to either.
It's a common convention not to use the built-in Users or Computers containers. (And note that they're containers, not OUs.) These are the locations where new users and computers go by default, and so it makes life easier if they're not used for anything else. Using them as a root container for your hierarchy is generally not a good idea.

Best Answer

Related Solutions

Ldap – Active Directory with nodes in multiple IP Addresses

Windows – Network connectivity requirements for Active Directory forest

Related Topic