A. You can move your DCs, but it's generally frowned upon and you shouldn't.

The Domain Controllers OU has special Group Policy Objects (GPOs) applied that are designed for DCs and it's vital that these GPOs are applied to all DCs. If you move DCs out of the Domain Controllers OU, the GPOs won't be applied correctly. Microsoft warns on its site about exactly this problem:

"IMPORTANT: Do not move any domain controller accounts out of the default Domain Controllers OU, even if some administrators log on to them to perform administrative tasks. Moving these accounts will disrupt the consistent application of domain controller policies to all domains, and is not supported.

In theory, you could create child OUs under the Domain Controllers OU, which would mean the GPOs applied at the Domain Controllers OU would also be applied to the child OUs. You could also just make sure wherever you moved the DCs has all the DC-specific GPOs. There are other problems with moving DCs, however.

  • Microsoft expects DCs to be in the Domain Controllers OU, and you'll have support problems if you move the DCs.
  • Some services and applications (including analysis tools) may only search the Domain Controllers OU for DCs (by examining the GUID_DOMAIN_CONTROLLERS_CONTAINER_W value) and setting a search base of 1. DCs in other OUs wouldn't be found, and not even DCs in a child OU would be found.
  • Exchange breaks if you move DCs from the Domain Controllers OU.
  • Future OS updates will look for DCs in the Domain Controllers OU.
  • The management of the environment will be problematic and troubleshooting will be complex.

Generally, there's no good reason to move them. Most problems that lead people to seek to move their DCs can be solved in better ways.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.