Active Directory structure is not something most administrators think about carefully — until the environment grows past the initial setup and the decisions made on day one start creating problems. Understanding the active directory structure before you build it is what separates environments that stay manageable from the ones that turn into a support burden two years later.
The logical model has three layers: forest, domain, and organizational unit (OU). Each serves a distinct purpose. Getting the purpose wrong — especially for OUs — is one of the most common structural mistakes in SMB environments. If you’re just getting started, What Is Active Directory? covers the fundamentals before this article picks up.
- One forest is correct for almost every SMB and homelab environment
- One domain is correct for almost every SMB and homelab environment
- OUs are for administration scope (GPO targeting, delegation) — not for permissions
- Security groups control resource access — not OUs
- Protect every OU from accidental deletion immediately after creation
- Keep OU depth at 2–3 levels maximum
How the Active Directory Structure Fits Together
The active directory structure uses a three-tier logical hierarchy. Each tier contains the next:
The forest is the outermost boundary. Everything inside a forest shares one schema and one global catalog. A forest can contain multiple domains, but most environments don’t need more than one.
The domain is where authentication happens and where objects live. Users, computers, groups, and policies all belong to a domain.
OUs sit inside domains. They’re containers — folders, essentially — used to organize objects for administrative purposes.
Understanding what each layer is for is more important than memorizing the hierarchy. Each layer was designed to solve a different operational problem, and the active directory structure only causes trouble when the layers are used for the wrong purpose.
What Is an Active Directory Forest?
The forest is the top-level logical boundary in Active Directory. It’s not a server — it’s a logical container that defines the outer limit of trust, schema, and global catalog. Microsoft’s documentation on the AD DS logical model describes the forest as “the security boundary of the Active Directory environment.”
Every forest shares one schema. If you extend the schema — for example, during an Exchange or SCCM installation — that extension affects every domain in the forest. There’s no per-domain schema. This is why schema extensions need to be planned, not improvised.
Every forest also shares one global catalog, which is a distributed database containing a partial copy of every object in every domain. Applications and users query the global catalog for cross-domain lookups and authentication.
What the Forest Contains
| Component | Scope | Notes |
|---|---|---|
| Schema | Forest-wide | Defines object classes and attributes — shared across all domains |
| Global Catalog | Forest-wide | Partial copy of all objects; required for authentication and cross-domain lookups |
| Domains | Contained in forest | One or more; each is a replication and admin boundary |
| Forest trusts | Between forests | Implicit two-way trust exists between all domains within the same forest |
For most SMB and homelab deployments, one forest is the correct active directory structure choice. Multiple forests exist for mergers and acquisitions, regulatory separation requirements, or situations where two organizations need to remain structurally independent while sharing limited resources. None of those scenarios apply to a typical SMB or homelab.
Adding a second forest does not add security — it adds operational overhead.
What Is an Active Directory Domain?
The domain is the primary administrative and replication boundary. Users log in to a domain. Group Policy applies at the domain level and below. Domain controllers replicate domain objects with each other.
Objects that belong to a domain: user accounts, computer accounts, security groups, service accounts, and Group Policy Objects. Authentication in Active Directory is domain-scoped — when a user logs in, a domain controller in their domain processes the Kerberos ticket. The domain name (corp.local, contoso.com) becomes part of every user’s UPN.
Single Domain Is the Right Answer for Most Environments
Historically, large organizations used multiple domains to manage Active Directory replication across slow WAN links. Before Windows Server 2003 introduced inter-site replication improvements, multiple domains was a practical bandwidth workaround.
That constraint is gone. Modern replication handles bandwidth through AD Sites and Services configuration — a site topology concern, not a domain design concern.
Multiple domains today add administrative complexity without proportional benefit: each domain needs its own domain controllers, GPO management crosses domain boundaries awkwardly, user authentication can require cross-domain referrals, and trusts between domains introduce their own failure modes.
Unless there is a specific business requirement — regulatory data separation, a strict security boundary between two distinct organizations, or a merger scenario — one domain is the correct answer.
What Is an Organizational Unit (OU)?
An OU is a container inside a domain. You create OUs to organize objects — users, computers, groups — into logical groupings for two specific purposes: applying Group Policy and delegating administrative permissions.
That’s the complete definition of what an OU is for. It’s not a security boundary. It’s not a permissions mechanism. It’s an administrative organization tool.
When you link a Group Policy Object to the Workstations OU, every computer in that OU inherits the policy. When you delegate the “Reset Password” permission to a help desk group on the Users OU, that group can reset passwords for every user in that OU. Those are the two jobs OUs do well.
They don’t do permissions on file shares. They don’t control who has access to a network printer. That’s what security groups are for.
OUs vs Security Groups: A Common Confusion
This is the structural mistake that causes the most ongoing trouble in SMB Active Directory environments. Both OUs and security groups can contain users, which creates the false impression that they’re interchangeable.
| OU | Security Group | |
|---|---|---|
| Purpose | Administration scope | Resource access control |
| Used for | GPO targeting, delegation | File share permissions, printer access, application authorization |
| Membership | Determined by OU placement | Explicit membership assignment |
| In Kerberos token | No | Yes — group SIDs are included at logon |
| Affects resource access | No | Yes — NTFS permissions, share permissions, application ACLs |
A common pattern in inherited AD environments: the Finance team is in a Finance OU, and someone has tried to grant that OU access to the finance file share. The permission assignment appears to work in the GUI — but users report they can’t access the share.
Windows resource permissions are based on security group membership in the Kerberos token. OUs are not included in Kerberos tokens. There is no mechanism for an NTFS permission to reference an OU. The access silently fails — no error, just denied access. The fix is a security group with the same members.
If you’re setting file share permissions, printer permissions, or application access: use security groups. Always. If you’re applying Group Policy to a set of computers: put those computers in an OU and link the GPO to the OU.
The two tools solve different problems. Using one for the other’s job doesn’t fail loudly — it just doesn’t work, which is worse.
Design Recommendation: One Forest, One Domain, Flat OUs
For the majority of SMB and homelab environments, the correct active directory structure is straightforward:
Complexity should come from actual requirements, not from over-engineering the structure because it “might be needed later.” The environments that end up with 12 layers of nested OUs and three domains usually started small and grew organically without a design intent. Rationalizing that structure later is a multi-day project.
Keep OU depth at three levels maximum. Two is better for most environments. Every level you add is another layer of GPO inheritance to debug when a policy stops applying correctly.
For a deeper look at OU hierarchy patterns, delegation models, and GPO scope planning, the Active Directory OU Design guide covers those decisions in full. Microsoft’s OU design guidance for Windows Server also outlines how OU depth affects delegation and Group Policy inheritance.
Protecting OUs From Accidental Deletion
An OU is not a database table with foreign key constraints. Deleting an OU in Active Directory Users and Computers — or via PowerShell — moves all the objects it contained to a “lost and found” container or, without AD Recycle Bin enabled, marks them for garbage collection.
Recovering from accidental OU deletion without AD Recycle Bin enabled means restoring from a domain controller backup. That’s a non-trivial recovery operation on a system that may be authenticating your entire environment.
- Enable deletion protection on every OU immediately after creation:
Set-ADOrganizationalUnit -Identity "OU=Users,DC=corp,DC=local" -ProtectedFromAccidentalDeletion $true - Enable AD Recycle Bin on the forest before it’s needed — recovery is only possible if it was enabled beforehand:
Enable-ADOptionalFeature "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "corp.local" - If an OU was deleted and Recycle Bin is enabled:
Get-ADObject -Filter {isDeleted -eq $true -and name -like "OU=*"} -IncludeDeletedObjects | Restore-ADObject - If Recycle Bin was not enabled: restore the most recent domain controller backup, perform an authoritative restore of the deleted container, then replicate
- After recovery, audit OU ACLs — delegation permissions on the restored OU may need to be re-applied
Default OU creation in Active Directory Users and Computers does not enable deletion protection. This should be part of the AD Post-Install Checklist — not a cleanup task.
Verification Commands
After building or inheriting an Active Directory environment, these commands give you a current-state summary of the active directory structure — forest configuration, domain properties, and OU layout. Running these commands when you first log into an unfamiliar domain is standard practice before making any changes.
# Forest summary — name, schema version, forest functional level, domain list
Get-ADForest
# Domain summary — name, PDC emulator, RID master, domain functional level
Get-ADDomain
# List all OUs — full Distinguished Name path shows hierarchy depth
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName
# Create a new OU with deletion protection enabled from the start
New-ADOrganizationalUnit `
-Name "Servers" `
-Path "DC=corp,DC=local" `
-ProtectedFromAccidentalDeletion $trueGet-ADForest returns the forest functional level, schema master FSMO role holder, and list of domains — useful when inheriting an environment to understand what you’re working with. Get-ADOrganizationalUnit -Filter * gives the full OU tree as Distinguished Name paths, which shows exactly how deep the structure goes without opening ADUC.
New-ADOrganizationalUnit includes -ProtectedFromAccidentalDeletion $true inline — there’s no reason to create an unprotected OU.
Common Active Directory Structure Mistakes
The active directory structure mistakes below aren’t edge cases — they appear regularly in environments that were deployed without a design review and grew organically.
Too many domains. Adding a child domain or a separate domain for a department is almost never the right call in an SMB environment. It doubles the DC infrastructure requirement and adds a trust relationship that becomes another failure mode to manage. If someone proposes a second domain for administrative separation, the correct answer is a separate OU with delegated permissions — not a new domain.
Deep OU hierarchies. A six-level OU structure that made sense to the engineer who designed it becomes unmaintainable within 12 months of that engineer leaving. GPO inheritance through deep nesting is difficult to audit, and Block Inheritance and Enforced flags scattered through the hierarchy make it worse. Keep it flat.
OUs for permissions. Covered in detail above — this fails silently. When someone reports that “the Finance OU members can’t access the finance share,” the answer is almost always that OUs were used where security groups should be.
No deletion protection. Default OU creation does not enable protection. This is a one-command fix that prevents an hours-long recovery scenario.
Delegation without ACL review. When you delegate permissions on an OU, the delegation writes Access Control Entries to that OU’s security descriptor. Moving OUs, restructuring the hierarchy, or changing group membership later doesn’t automatically clean those ACEs. Privilege drift accumulates silently. Audit OU ACLs when inheriting a domain or restructuring the OU tree.
Frequently Asked Questions
What is the difference between a forest and a domain in Active Directory?
The active directory structure has two distinct container levels above OUs. A forest is the outermost logical boundary — it defines the limits of schema, global catalog, and trust. A domain is contained within a forest and is the boundary for authentication, replication, and Group Policy. Most environments have one forest with one domain inside it. The distinction matters when deciding whether you need more than one domain (you probably don’t) or when operating in a multi-organization environment.
What is an OU in Active Directory?
An Organizational Unit is a container inside a domain used to group objects for administrative purposes. OUs let you apply different Group Policy settings to different groups of objects and delegate specific administrative permissions to specific teams. They are not security boundaries and don’t control resource access — that’s what security groups are for.
Should I use OUs or security groups for permissions?
Security groups, always. OUs don’t appear in a user’s Kerberos authentication token, so Windows resource permissions — file shares, printers, application access — can’t reference OU membership. OUs exist for GPO targeting and delegation scope only. This is not a preference; it’s how the authentication model works.
How many domains does an organization need?
One. Multiple domains exist for mergers requiring structural separation, regulatory requirements mandating distinct identity boundaries, or extremely large organizations with complex constraints. SMB and homelab environments have no operational need for more than one domain. If you’re considering a second domain for administrative reasons, a separate OU with delegated permissions achieves the same result without the overhead.
What is the recommended Active Directory structure for a small business?
The recommended active directory structure for SMB: one forest, one domain, four OUs: Users, Workstations, Servers, Service Accounts. Security groups for all resource permissions. OU deletion protection enabled on all OUs. This structure handles growth cleanly and doesn’t create complexity that outlives the administrator who designed it.
Bottom Line
Most active directory structure problems aren’t design failures — they’re the result of environments that grew without a design. Users ended up in default containers. OUs accumulated without a consistent hierarchy. Permissions were applied to whatever container was convenient at the time.
The correct active directory structure isn’t complicated. What makes it work long-term is applying it from the start: one forest, one domain, a flat OU tree, security groups for access control, and deletion protection on every OU before the first user account lands.
The next step after structure is installation — How to Install Active Directory on Windows Server 2025 covers the deployment from ADDS role installation through forest creation.
Active Directory Series
14 articles — Windows Server 2025 · Forest & Domain · FSMO · GPO · Replication · DNS