Phone Live Chat
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393


Active Directory is the core of the IT infrastructure and the primary step to build a sound cybersecurity posture and stay compliant. To create the right infrastructure, it's important to follow some basic steps to avoid issues with configuration and security.

Here are some steps you can apply to both new domains or while restructuring an existing domain:

Stick to the basics

Keeping your Active Directory as simple as possible will help improve overall efficiency and will make the troubleshooting process easier. Designing a domain for every department may look desirable but it is generally recommended to run fewer effective domains. An alternative to creating domains for every department is to use organizational units (OU).

Have dedicated domain controllers

It is a good practice to have domain controllers running on dedicated servers (physical or virtual). Adding multiple roles to a domain controller can affect the performance, reduce security, and cause complications during backup and recovery of the server.

Create a scalable structure

Most organizations start out with a carefully arranged Active Directory architecture. However, with time, Active Directory can grow rather complicated. To avoid this, it is prudent to plan in advance for eventual Active Directory growth. Even though it's hard to predict exactly how Active Directory will grow, some governance practices can be defined to dictate the structure that will be used when it does.

Naming conventions and descriptions

Sticking to standard naming formats for AD objects will make troubleshooting much easier. Define a naming convention before building your infrastructure, users, clients, servers, devices, groups, and shares in the network.

Develop a migration strategy

Having a migration strategy in place is an integral part of your overall design plan to counter any possible failure. This involves studying the current or proposed configuration details and categorizing the aspects of the domain that will be migrated.

Hardware configuration

The primary responsibility of the domain controllers is to authenticate and validate user access to the network. To ensure that services are not interrupted, it is critical to deploy a sufficient number of domain controllers.

Create proper site topology

Large networks often require multiple Active Directory sites. The site topology should mirror the network topology. The parts of the network that are connected should be placed within a single site.

Host domain controllers on different servers

Organizations usually have multiple domain controllers as a backup mechanism in case one of the domain controllers fails. However, this redundancy is often bypassed by server virtualization. Sometimes, organizations place all their virtualized domain controllers onto a single virtualization host server. So if that host server fails, all the domain controllers will be affected, too.

Design your management plan before setting up servers

Besides planning the Active Directory structure upfront, a good management plan should also be in place. Who will administrator Active Directory? Will the responsibilities be divided according to the domain or an OU? These types of management decisions must be made before actually setting up domain controllers.

Make logistical changes only if needed

Active Directory is designed to be flexible, and it is possible to perform major restructuring of it without downtime or data loss. However, on some occasions, a restructuring process has resulted in some Active Directory objects being corrupted, especially when moving objects between domain controllers running differing versions of Windows Server.

Allocate sufficient memory space

An important attribute of the Active Directory domain controllers is their memory space. It's recommended to set aside twice as much memory as the AD database size on the disk. With sufficient memory, the Active Directory server is far less dependent on disk access and performance is immensely improved with faster, problem-free authentication of users.

How can ManageEngine help?

ADManager Plus is an integrated AD, Exchange Server, Microsoft 365, Skype for Business (Lync), and Google Workspace management and reporting solution. This tool allows you to securely delegate OU- and group-based AD tasks to help desk technicians. It also offers customizable workflows to help you streamline and monitor the execution of AD tasks, and automate critical tasks and routines.

  • Manage AD, Exchange, Microsoft 365, Skype for Business, and Google Workspace from a single console.
  • Utilize more than 200 prepackaged AD reports.
  • Create Exchange mailboxes in bulk for AD users and groups.
  • Create Microsoft 365 users in bulk with appropriate licenses via templates or CSVs.
  • Automate routine operations like user provisioning and AD cleanup.
  • Execute AD tasks on a ticket basis with a multi-level workflows.
  • Manage AD on the go with iOS and Android apps.
Try ADManager Plus for free 30-day, free trial. No credit card required. Enjoy the
Free Edition after the evaluation period.

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting