Active Directory mistake: Moving domain controller objects into a child OU of the domain controller is unsupported

by Mitch Tulloch
6 comments | 3I like it!
Tags: domain, network
More »
on this topic
May 19, 2008, 12:52 PM —  ITworld.com — 

In two previous articles (here and here) I shared some classic Active Directory mistakes people have made that got their companies into serious trouble. Here's another mistake that on the face of it sounds harmless but that can have unintended consequences if you implement it.

A company I know had half a dozen domain controllers in their domain, and by default Windows Server 2003 stores the computer account for all domain controllers in the Domain Controllers organizational unit (OU)(for example OU=Domain Controllers,DC=contoso,DC=com) to which the Group Policy Object named Default Domain Controllers Policy is linked. What the customer wanted to do was to create a child OU beneath the Domain Controllers OU and then move the computer accounts of several domain controllers into this sub-OU. Why did they want to do this? The usual vague answer: "for business reasons".

On the face of it, this doesn't sound like it would cause any problems since any policy changes made to the Default Domain Controllers Policy GPO would not only be directly applied to the objects contained in the Domain Controllers OU but would also automatically be inherited by any objects contained in the child OU. So what harm could be done by doing this? Would it break anything?

Maybe not, but after talking with some people inside Microsoft concerning this, the word I hear is that doing this (moving domain controller objects into a child OU of the Domain Controllers OU) is unsupported. Why wouldn't it be supported? Probably because Microsoft has never tested that scenario so they don't know what the consequences of doing it might be. How does that impact the customer? If the customer does something to their network that Microsoft says is unsupported, then Microsoft isn't obligated to help the customer should they decide to go ahead and do it and something goes wrong. In fact, Microsoft might simply respond by saying, "Sorry, that change is unsupported -- you'll have to flatten your network and rebuild it from scratch." I'm not saying they will respond that way, just that they might -- and that it would be perfectly fair and reasonable for them to do so.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Close

On Twitter now

domain

Powered by Twitter
Refresh results
You are logged in | Sign out
Sign in and post to Twitter

What are you thinking?

Insert this article url
Cancel Tweet sent

On Twitter now

Comments
6 comments Add a comment

Hello there. First of all

Hello there.

First of all thanks for your article, it is very good and clear. I, however, have a good reason for putting the domain controllers inside child OUs, and I have done so and incurred into problems, so I had to move them back to the default Domain Controllers OU.

My reason is that I have 5 domain controllers in 3 different and distant sites, and each site has its own WSUS server, so I would like to have the domain controllers getting their updates from their local WSUS server, but to do that I need to apply different group policies to the servers in different locations, therefore they need to be in different OUs.

So, I couldn't find any solution to that because I can't move my domain controllers, and I believe Microsoft should have thought of that... Anyway, would you have any ideas to solve my problem without moving the domain controllers to different OUs?

Thank you again!
by Felipe Ceotto (not verified) on 8/21/08 at 4:32 am | reply

Hey Felipe, your solution:

Hey Felipe,

your solution: make 3 different GPOs that have 3 different WSUS paths. konfigure the CAL of every GPO in that way, that only the right DCs have the permission to read und apply their corresponding policy. then link EACH of the GPO with the OU domain controllers. thats all...
by GFischer (not verified) on 9/27/08 at 9:26 am | reply

GPOs using WMI Filters

this is a common issue to solve in large global deployments of domains and the biggest issue people face is not updating the GPO's if they explicitly assign the DC computer object against on the security filter and they then decommission the DC and add a new one.
the easiest way around this does of course depend on your global naming standard.
Using WMI filters in GPMC you can create a WMI filter that will only ensure that the GPO you assign will only apply to computers that start with a specific WMI filter.
ie root\CIMv2 Select * from Win32_ComputerSystem WHRE Name like 'SITE-A%'
assign this to the GPO on the domain controllers OU that specifies SITE A's wsus server. hence you keep them all in one OU.
by Mike Baker (not verified) on 10/7/08 at 11:49 am | reply
View all comments »
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
view all newsletters »
Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace