2

Background: I've been helping out with a recent G.P. simplification (read overhaul) at work. I'm working from a list of things my supervisor has requested be done with Group Policy to harden our security. Due to changes in our G.P. structure, moving the domain controllers into another OU (specifically two layers deeper into that other OU) is preferred. The environment consists of Windows 7, Server 2008 R2, and Server 2012, including a mixture of physical and virtual machines. Of the DCs in question, one is physical while the other is virtual. Both are using Server 2008 R2.

In this picture, the underlined OU is the default location and the proposed location is indicated by the arrow. .

Through my valiant efforts at Google-fu, I have only found a single non-Microsoft post warning against it (See John Savill link).

Question: As the title says, what will break if I move my Domain Controller machine accounts from the default OU into another OU, assuming the policy is linked?

I'm not asking about Best Practices. I'm asking what will break when/if the change in question is made.

Links: John Savill Windows IT Pro Q&A Post on Jul. 8, 2009 (I sincerely doubt Microsoft support would hiccup from such a change, we don't use Exchange, the OS updates thing is bogus, etc.)

Group Policy Overview (The Caution beneath Group Policy objects that exist by default references linking the policy correctly, which has been done.)

Securing Active Directory Administrative Groups and Accounts (The Important beneath Moving Administrative Workstation Accounts into the Admin Workstations OU again references linking the policy correctly, which has, again, been done.)

Improve this question

1 Answer 1

Reset to default
1

Moving domain controller objects might not cause any problems at first, but you will probably regret it. It looks like you have a handle on the Group Policy links and you haven't mentioned any custom delegation or OU ACLs. There is, however, one major problem: distinguished names. In the Configuration partition of Active Directory, there can be references to domain controllers, especially if you use things like Exchange or SQL Server. Those references are by distinguished name, i.e. the full path to the object. Those references will clearly break if you move the objects.

Let me say more about that SQL Server bit. If Microsoft products have problems with a certain configuration, then you should not use that configuration because they don't intend you to. The Domain Controllers OU always has a certain documented GUID, so it logically follows that looking for domain controllers there is a reasonable thing for all products to do. I have also heard - but not confirmed - stories of adprep (part of the ADDS upgrade process) having problems with moved domain controller objects.

Surely it's not too much of an eyesore to keep the Domain Controllers OU in the root and link any necessary GPOs there too.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .