Home Windows Server Windows Server 2025 – Part 6 (Active Directory Design)

Windows Server 2025 – Part 6 (Active Directory Design)

Windows Server · 23. November 2024

When creating an Active Directory structure it is good to develop the Active Directory design with a focus for efficient management, delegation of administrative tasks, and application of Group Policies (GPOs). This can be done using a strcuture based on continent, country, and role (e.g., users, servers).

Below is a recommended Active Directory design based on my experiences.

Top-Level Active Directory Design Considerations:

Continent/Region-Based OUs: This allows for easy delegation of administrative control by region. It is not unusual that you have different MSPs or Teams in charge of specific continents or regions. Depending on your organization you might want to use Europe, North America, Asia or you want to add additional regions for India, China, EMEA (Europe, Middle East, Africa).

Country-Based Sub-OUs: Countries within each continent are separated into their own OUs for further delegation and policy application. Examples to use this are workers council requirements, data privacy configurations or compliance requirements.

Role-Based OUs: Within each country, separate OUs for users, servers, and other resources (e.g., workstations) are created. We want to seperate Group Policies for computer and user based components and this seperation is a basic approach for it. It also allows to create login scripts or delegate user administration from server and client object administration.

Server Version OUs: Servers should be further segregated by their operating system version for easier management of updates and group policies. This will become very important, when we start working with Windows Server 2025 Baseline configuration in the next part of this series.

Below is an example structure. Remember that the final Active Directory design depends on your organization size and structure. If you see Active Directories from multiple organizations you will notice, that the difference in the designs is normally in Layer 1 and 2, but you will always see the Users and Servers structure.

|-- Europe
|   |-- Germany
|   |   |-- Users
|   |   |-- Servers
|   |       |-- Server2019
|   |       |-- Server2022
|   |       |-- Server2025
|   |
|   |-- France
|   |   |-- Users
|   |   |-- Servers
|   |       |-- Server2022
|   |       |-- Server2025
|   |
|-- North America
|   |-- USA
|   |   |-- Users
|   |   |-- Servers
|   |       |-- Server2022
|   |       |-- Server2025
|   |
|   |-- Canada
|       |-- Users
|       |-- Servers
|           |-- Server2025
|

Benefits of This Structure:

Security Boundaries: By separating users and servers into different OUs, you can apply different security policies tailored to each group.

Delegated Administration: Administrators can be assigned permissions at the continent or country level without affecting other regions.

Simplified Group Policy Management: GPOs can be applied at various levels (continent, country, operating system version) to ensure consistent configurations across similar resources.

Scalability: The structure is scalable as new countries or regions can easily be added without disrupting the existing hierarchy.

Example Use Cases:

Delegating Control in Germany:

  • You can delegate control of the Europe\Germany OU to a local administrator in Germany, allowing them to manage users and servers within that country without affecting other countries in Europe.

Applying Policies to All Servers Running Windows Server 2025:

  • You can apply a GPO specifically to Europe\Germany\Servers\Windows2025 to enforce server-specific policies such as patching schedules or security baselines.

Applying Continent-Wide Policies:

  • A GPO applied at the Europe level could enforce certain security settings across all European countries, ensuring consistency across the entire region.

Additional Considerations:

  • Hybrid Structures: Depending on your organization’s needs, you may want to combine location-based OUs with department-based OUs (e.g., Europe\Germany\Finance\Users).
  • Group Policy Inheritance: Be mindful of how GPO inheritance works in this hierarchical structure. Avoid blocking inheritance and filters wherever you can. Use Item Level Targeting with Group Policy Preferences, but avoid WMI Filters for performance reasons.

Powershell Script to create a structure

The following Script will create some example OUs for Europe and North America based on my recommend structure for the home lab and Active Directory in general. You can easily adjust the $domain path and add additional continents, countries and other OUs.

# Import Active Directory module
Import-Module ActiveDirectory

# Define the root domain for the OUs
$domain = "DC=ad,DC=hartiga,DC=de"

# Function to create an Organizational Unit if it doesn't already exist
function Create-OU {
    param (
        [string]$ouName,
        [string]$parentOU
    )
    
    # Construct the full distinguished name for the new OU
    $ouPath = "OU=$ouName,$parentOU"
    
    # Check if the OU already exists
    if (-not (Get-ADOrganizationalUnit -Filter {DistinguishedName -eq $ouPath} -ErrorAction SilentlyContinue)) {
        # Create the OU if it doesn't exist
        New-ADOrganizationalUnit -Name $ouName -Path $parentOU
        Write-Host "Created OU: $ouName under $parentOU"
    } else {
        Write-Host "OU: $ouName already exists under $parentOU"
    }
}

# Start creating the OU structure

# Europe OUs
$europeOU = "OU=Europe,$domain"
Create-OU "Europe" $domain

# Germany OUs
$germanyOU = "OU=Germany,$europeOU"
Create-OU "Germany" $europeOU

Create-OU "Users" $germanyOU
Create-OU "Servers" $germanyOU

# Germany Servers Sub-OUs
$germanyServersOU = "OU=Servers,$germanyOU"
Create-OU "Server2019" $germanyServersOU
Create-OU "Server2022" $germanyServersOU
Create-OU "Server2025" $germanyServersOU

# France OUs
$franceOU = "OU=France,$europeOU"
Create-OU "France" $europeOU

Create-OU "Users" $franceOU
Create-OU "Servers" $franceOU

# France Servers Sub-OUs
$franceServersOU = "OU=Servers,$franceOU"
Create-OU "Server2022" $franceServersOU
Create-OU "Server2025" $franceServersOU

# North America OUs
$northAmericaOU = "OU=North America,$domain"
Create-OU "North America" $domain

# USA OUs
$usaOU = "OU=USA,$northAmericaOU"
Create-OU "USA" $northAmericaOU

Create-OU "Users" $usaOU
Create-OU "Servers" $usaOU

# USA Servers Sub-OUs
$usaServersOU = "OU=Servers,$usaOU"
Create-OU "Server2022" $usaServersOU
Create-OU "Server2025" $usaServersOU

# Canada OUs
$canadaOU = "OU=Canada,$northAmericaOU"
Create-OU "Canada" $northAmericaOU

Create-OU "Users" $canadaOU
Create-OU "Servers" $canadaOU

# Canada Servers Sub-OUs
$canadaServersOU = "OU=Servers,$canadaOU"
Create-OU "Server2025" $canadaServersOU

This Active Directory design provides a flexible and scalable foundation for managing users, servers, and other resources across multiple regions and countries within Active Directory.

Layout in Active Directory Users and Computers

Example for flexible Active Directory Design
Example for flexible Active Directory Design

If you need to install the Active Directory, please check the guide here.

Spread the knowledge
Avatar for Andreas Hartig
Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

A dragon IT Architect in the shadowrun world looking very concentrated on a document to decided if he should migrate from LAPS to Windows LAPS and when.
Windows Server

Windows LAPS and Legacy LAPS – Key Differences

· 1. February 2025

Windows LAPS (Local Administrator Password Solution) is the successor to the legacy LAPS, offering significant improvements and new features while maintaining some of the core functionalities of its predecessor. Below…

Spread the knowledge
Read more
A dragon IT architect from the shadowrun world sitting on an egg protecting Active Directory
Windows Server

Windows Server 2025 – Part 7 (Active Directory Hardening)

· 16. January 2025

In today’s world, cybersecurity is not just a necessity; it’s a foundation for your business’s integrity and trustworthiness. One of the key components of this foundation is Active Directory hardening….

Spread the knowledge
Read more
A dragon IT Architect in the shadowrun world looking very intensively and focussed into Microsoft Windows Server Event Viewer Logfiles
Windows Server

Windows EventLog for Windows LAPS Events

· 4. January 2025

To monitor Windows LAPS (Local Administrator Password Solution) activities in the Windows Event Log, you can track specific Event IDs.  Key Windows LAPS Events IDs The following events provide critical…

Spread the knowledge
Read more
A dragon IT Architect in the shadowrun world, sitting in a datacenter and having a trust relationship issue
Windows Server

Repairing the Domain Trust Relationship – No Reboot

· 7. December 2024

When managing an Active Directory environment, one of the common issues you might encounter is a broken Domain Trust between a workstation, server and the domain. This can be frustrating,…

Spread the knowledge
Read more
A dragon who is an IT Architect in the shadowrun world currently writing powershell scripts to manage Windows Server 2025
Windows Server

Easy PowerShell Scripts for Windows Server 2025 Management

· 9. November 2024

As Windows Server 2025 continues to evolve, system administrators are faced with increasingly complex environments. Fortunately, PowerShell provides an efficient way to automate repetitive tasks, streamline management, and reduce human…

Spread the knowledge
Read more
Windows Server 2025 Part 1
Windows Server

Windows Server 2025 – Part 1 (Preparation)

· 3. November 2024

Microsoft released the Windows Server 2025 and made it officially available on the 1st of November 2025. With the latest changes in the server and datacenter Virtualization market, i wanted…

Spread the knowledge
Read more