how do i go about implementing a design based on this requirement Active Directory Design . You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations. At this location Windows Server 2016 is required providing the following AD features: Use BitLocker encryption technology for devices (server and Work station) disc space and volume. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2016 networks), reducing internal help desk call volumes for lost PINs. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Enable BranchCache in Windows Server 2016 for substantial performance, manageability, scalability, and availability improvements Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies. Implement Failover cluster services Implement File classification infrastructure feature to provide automatic classification process. IP Address Management (IPAM) is an entirely new feature in Windows Server 2016 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation. Deliverables Deliverables Create Active directory infrastructure to include recommended features Create OU level for users and devices in their respective OU Create Global, Universal, Local group.. Each global group will contain all users in the corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains). Create appropriate GPO and GPO policies and determine where they will be applied.