Domain Controllers OU, Sub OUs

matthew.stricker15 · December 20, 2021, 8:49pm

When setting up the AD Users and Computers it was mentioned that in the Domain Controllers OU it automatically populates the domain controllers, and these don’t really get messed moved around. Is it not advisable to make sub-OUs? One for the primary domain controller and one for the secondary domain controllers?

Making them into sub-OUs means that they still get the Default Domain Controllers Policy GPO, but you can also set them up with minor differences. For example, using the PDC OU to sync the PDC to the NTP server and using the SDC OU to sync the SDCs to the PDC.

ricardo.p · December 21, 2021, 3:13pm

Hi @matthew.stricker15

It is not recommended to move DC from Domain Controller OU to other OU, rename Domain Controller OU, or create Child OU or sub-OUs. Issues like the DCdiag test failing are some examples plus some others described in these articles:

DC is not in the domain controller’s OU

Can I move my domain controllers (DCs) from the default Domain Controllers Organizational Unit (OU)?

Of course in a lab environment, you can test for these issues.

Ricardo