Difference between revisions of "Active Directory/Overview"

From WolfTech
Jump to navigation Jump to search
m (New page: do soon... eliminate BENEFITS)
 
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
do soon... eliminate BENEFITS
+
{{Active_Directory_toc}}__NOTOC__
 +
The WolfTech Active Directory service is offered to all NC State units for use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the service offered.
 +
 
 +
==User Accounts==
 +
The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are maintained in the WolfTech domain. UnityIDs are synchronized daily.
 +
 
 +
==Workshop Accounts==
 +
We are populating the OIT Workshop Accounts (tmp00001 through tmp02000). When your users change their passwords via http://www.ncsu.edu/password, the appropriate AD account will be updated.
 +
 
 +
Everyone will need to be careful to remove these accounts from security groups once you’re done with them as they’ll be recycled to others, and we, unfortunately, have no way to track or group these accounts reliably.
 +
 
 +
==Authentication==
 +
Users logs in to the WolfTech domain with their UnityID username/password. Users can synchronize their passwords or reset their passwords using the regular [http://www.ncsu.edu/password NCSU Password Change] page. All password changes are syncronized in real time.
 +
 
 +
==Non UnityID Accounts==
 +
OU Admins can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the [[Active_Directory/Naming_Standards|Naming Standards]] section of this website. OU Admins are responsible for all accounts in their department OU.
 +
 
 +
==Computer Accounts==
 +
Whenever an OU Admin joins a computer to the domain, a computer account is created.
 +
 
 +
We recommend that OU Admins either create the computer account during the Remote Installation (RIS) of the computer, specifying their OU, or to prestage their computer accounts within their OU structure.
 +
 
 +
OU Admins are asked to keep the Computers container empty and have been delegated the permissions needed to move any computer accidentally created there to their own OU.
 +
 
 +
==Naming Standards==
 +
The WolfTech domain follows a naming standard for all computer and user accounts, groups, GPOs, and OUs. Details of the standard are available at the [[Active_Directory/Naming_Standards|Naming Standards]] section of this website. Following the standard will prevent any interoperability issues within the domain, and allows for automation of many administrative tasks. All OU Admins must read and follow these standards.
 +
 
 +
==Windows 2008 Forests and Domains==
 +
The WolfTech Active Directory is based on a single forest, single domain model.
 +
 
 +
==Domain Support Model==
 +
WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the [[Active_Directory/Service_Groups#WSUS_Service_Group|WSUS Policies]] and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to [[Active_Directory/Software_Packages|Software Packages]] for a complete list of currently available packages).
 +
 
 +
All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.
 +
 
 +
WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.
 +
 
 +
==Domain Restoration==
 +
Backups of all critical WolfTech data occur daily. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Every OU Admin should maintain records of their OUs, GPOs, groups, computer and user accounts with the upmost care. Detailed documentation of these resources is highly recommended should the OU Admin need to recreate any portion of their OU structure.
 +
 
 +
==Schema Extensions==
 +
Schema extensions are not to be taken lightly as they cannot be reversed. Any proposed extension must be reviewed and shown to offer improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain users. Rigerous examination and testing must occur to ensure the stability of the WolfTech domain. All requests to extend the domain schema should be sent to the WolfTech support group.
 +
 
 +
==Trusts between WolfTech and Other NC State Windows Domains==
 +
Only one-way, non-transitive trusts will be permitted between WolfTech and other Windows domains. The intention of any one-way trust is to allow for the migration from other NC State domains to the central WolfTech domain. Once completed, the trust is removed -- the timeframe of these migrations will be determined at the time of creation.
 +
 
 +
Two-way trusts between WolfTech and other forests/domains at NC State will not be established unless a strong technical need is determined by the domain adminstrators.
 +
 
 +
==Roaming Profiles and Individual Logon Scripts==
 +
The goal of the WolfTech domain is to maximize the control of each department over their constituents. As a part of this design, we strive to minimize the central organization's impact on user accounts (which must be maintained centrally). Key to this effort is the lack of support for roaming profiles and individual login scripts.
 +
 
 +
These elements of Active Directory user accounts can only be set by the central organization (and only set once) and greatly limit the users' experience upon the domain. In addition to the increased difficulty these services add within a large, distributed domain, they increase network traffic, delay logins, and have traditionally been the cause of many issues here at NC State.
 +
 
 +
Active Directory provides other advanced features such as group policies and folder redirection to define the user environment, and these can be customized by each department however they wish. Refer to the [[Active_Directory/Documentation|Documentation]] page for details.
 +
 
 +
==Support Mailing List==
 +
OU Admins are required to subscribe to the '''wolftech-ad@lists.ncsu.edu''' mailing list, as it our main communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the '''activedirectory@lists.ncsu.edu''' list be maintained as well due to its use for campus wide Active Directory issues.
 +
 
 +
==Service Level==
 +
The WolfTech Active Directory domain architecture has been specifically designed to provide continuous, redundant service to its member organizations. No impact should be seen as a part of daily maintenance or due to unexpected hardware failure.
 +
 
 +
Should service be compromised, recovery procedures will be initiated -- including identification of the issue, notification of the affected OU Admins, and the implementation of solutions to the problem.
 +
 
 +
Critical infrastructure has been placed on both NC State campuses to meet Disastery Recovery standards, and it should be noted that as of the writing of this article, the WolfTech domain remained the only domain on campus to pass (with flying colors I might add) review by the NC State Auditers.

Latest revision as of 15:29, 4 August 2010

The WolfTech Active Directory service is offered to all NC State units for use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the service offered.

User Accounts

The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are maintained in the WolfTech domain. UnityIDs are synchronized daily.

Workshop Accounts

We are populating the OIT Workshop Accounts (tmp00001 through tmp02000). When your users change their passwords via http://www.ncsu.edu/password, the appropriate AD account will be updated.

Everyone will need to be careful to remove these accounts from security groups once you’re done with them as they’ll be recycled to others, and we, unfortunately, have no way to track or group these accounts reliably.

Authentication

Users logs in to the WolfTech domain with their UnityID username/password. Users can synchronize their passwords or reset their passwords using the regular NCSU Password Change page. All password changes are syncronized in real time.

Non UnityID Accounts

OU Admins can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the Naming Standards section of this website. OU Admins are responsible for all accounts in their department OU.

Computer Accounts

Whenever an OU Admin joins a computer to the domain, a computer account is created.

We recommend that OU Admins either create the computer account during the Remote Installation (RIS) of the computer, specifying their OU, or to prestage their computer accounts within their OU structure.

OU Admins are asked to keep the Computers container empty and have been delegated the permissions needed to move any computer accidentally created there to their own OU.

Naming Standards

The WolfTech domain follows a naming standard for all computer and user accounts, groups, GPOs, and OUs. Details of the standard are available at the Naming Standards section of this website. Following the standard will prevent any interoperability issues within the domain, and allows for automation of many administrative tasks. All OU Admins must read and follow these standards.

Windows 2008 Forests and Domains

The WolfTech Active Directory is based on a single forest, single domain model.

Domain Support Model

WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the WSUS Policies and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to Software Packages for a complete list of currently available packages).

All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.

WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.

Domain Restoration

Backups of all critical WolfTech data occur daily. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Every OU Admin should maintain records of their OUs, GPOs, groups, computer and user accounts with the upmost care. Detailed documentation of these resources is highly recommended should the OU Admin need to recreate any portion of their OU structure.

Schema Extensions

Schema extensions are not to be taken lightly as they cannot be reversed. Any proposed extension must be reviewed and shown to offer improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain users. Rigerous examination and testing must occur to ensure the stability of the WolfTech domain. All requests to extend the domain schema should be sent to the WolfTech support group.

Trusts between WolfTech and Other NC State Windows Domains

Only one-way, non-transitive trusts will be permitted between WolfTech and other Windows domains. The intention of any one-way trust is to allow for the migration from other NC State domains to the central WolfTech domain. Once completed, the trust is removed -- the timeframe of these migrations will be determined at the time of creation.

Two-way trusts between WolfTech and other forests/domains at NC State will not be established unless a strong technical need is determined by the domain adminstrators.

Roaming Profiles and Individual Logon Scripts

The goal of the WolfTech domain is to maximize the control of each department over their constituents. As a part of this design, we strive to minimize the central organization's impact on user accounts (which must be maintained centrally). Key to this effort is the lack of support for roaming profiles and individual login scripts.

These elements of Active Directory user accounts can only be set by the central organization (and only set once) and greatly limit the users' experience upon the domain. In addition to the increased difficulty these services add within a large, distributed domain, they increase network traffic, delay logins, and have traditionally been the cause of many issues here at NC State.

Active Directory provides other advanced features such as group policies and folder redirection to define the user environment, and these can be customized by each department however they wish. Refer to the Documentation page for details.

Support Mailing List

OU Admins are required to subscribe to the wolftech-ad@lists.ncsu.edu mailing list, as it our main communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the activedirectory@lists.ncsu.edu list be maintained as well due to its use for campus wide Active Directory issues.

Service Level

The WolfTech Active Directory domain architecture has been specifically designed to provide continuous, redundant service to its member organizations. No impact should be seen as a part of daily maintenance or due to unexpected hardware failure.

Should service be compromised, recovery procedures will be initiated -- including identification of the issue, notification of the affected OU Admins, and the implementation of solutions to the problem.

Critical infrastructure has been placed on both NC State campuses to meet Disastery Recovery standards, and it should be noted that as of the writing of this article, the WolfTech domain remained the only domain on campus to pass (with flying colors I might add) review by the NC State Auditers.