Difference between revisions of "Active Directory/Overview"

Latest revision as of 16:29, 4 August 2010

WolfTech Active Directory

The WolfTech Active Directory service is offered to all NC State units for use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the service offered.

User Accounts

The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are maintained in the WolfTech domain. UnityIDs are synchronized daily.

Workshop Accounts

We are populating the OIT Workshop Accounts (tmp00001 through tmp02000). When your users change their passwords via http://www.ncsu.edu/password, the appropriate AD account will be updated.

Everyone will need to be careful to remove these accounts from security groups once you’re done with them as they’ll be recycled to others, and we, unfortunately, have no way to track or group these accounts reliably.

Authentication

Users logs in to the WolfTech domain with their UnityID username/password. Users can synchronize their passwords or reset their passwords using the regular NCSU Password Change page. All password changes are syncronized in real time.

Non UnityID Accounts

OU Admins can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the Naming Standards section of this website. OU Admins are responsible for all accounts in their department OU.

Computer Accounts

Whenever an OU Admin joins a computer to the domain, a computer account is created.

We recommend that OU Admins either create the computer account during the Remote Installation (RIS) of the computer, specifying their OU, or to prestage their computer accounts within their OU structure.

OU Admins are asked to keep the Computers container empty and have been delegated the permissions needed to move any computer accidentally created there to their own OU.

Naming Standards

The WolfTech domain follows a naming standard for all computer and user accounts, groups, GPOs, and OUs. Details of the standard are available at the Naming Standards section of this website. Following the standard will prevent any interoperability issues within the domain, and allows for automation of many administrative tasks. All OU Admins must read and follow these standards.

Windows 2008 Forests and Domains

The WolfTech Active Directory is based on a single forest, single domain model.

Domain Support Model

WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the WSUS Policies and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to Software Packages for a complete list of currently available packages).

All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.

WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.

Domain Restoration

Backups of all critical WolfTech data occur daily. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Every OU Admin should maintain records of their OUs, GPOs, groups, computer and user accounts with the upmost care. Detailed documentation of these resources is highly recommended should the OU Admin need to recreate any portion of their OU structure.

Schema Extensions

Schema extensions are not to be taken lightly as they cannot be reversed. Any proposed extension must be reviewed and shown to offer improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain users. Rigerous examination and testing must occur to ensure the stability of the WolfTech domain. All requests to extend the domain schema should be sent to the WolfTech support group.

Trusts between WolfTech and Other NC State Windows Domains

Only one-way, non-transitive trusts will be permitted between WolfTech and other Windows domains. The intention of any one-way trust is to allow for the migration from other NC State domains to the central WolfTech domain. Once completed, the trust is removed -- the timeframe of these migrations will be determined at the time of creation.

Two-way trusts between WolfTech and other forests/domains at NC State will not be established unless a strong technical need is determined by the domain adminstrators.

Roaming Profiles and Individual Logon Scripts

The goal of the WolfTech domain is to maximize the control of each department over their constituents. As a part of this design, we strive to minimize the central organization's impact on user accounts (which must be maintained centrally). Key to this effort is the lack of support for roaming profiles and individual login scripts.

These elements of Active Directory user accounts can only be set by the central organization (and only set once) and greatly limit the users' experience upon the domain. In addition to the increased difficulty these services add within a large, distributed domain, they increase network traffic, delay logins, and have traditionally been the cause of many issues here at NC State.

Active Directory provides other advanced features such as group policies and folder redirection to define the user environment, and these can be customized by each department however they wish. Refer to the Documentation page for details.

Support Mailing List

OU Admins are required to subscribe to the wolftech-ad@lists.ncsu.edu mailing list, as it our main communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the activedirectory@lists.ncsu.edu list be maintained as well due to its use for campus wide Active Directory issues.

Service Level

The WolfTech Active Directory domain architecture has been specifically designed to provide continuous, redundant service to its member organizations. No impact should be seen as a part of daily maintenance or due to unexpected hardware failure.

Should service be compromised, recovery procedures will be initiated -- including identification of the issue, notification of the affected OU Admins, and the implementation of solutions to the problem.

Critical infrastructure has been placed on both NC State campuses to meet Disastery Recovery standards, and it should be noted that as of the writing of this article, the WolfTech domain remained the only domain on campus to pass (with flying colors I might add) review by the NC State Auditers.

@@ Line 1: / Line 1: @@
 {{Active_Directory_toc}}__NOTOC__
-The WolfTech Active Directory service is offered to all NC State unit for the use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the services offered.
+The WolfTech Active Directory service is offered to all NC State units for use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the service offered.
 ==User Accounts==
-The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are loaded into the WolfTech domain. UnityIDs are synchronized daily. All password changes using the http://www.ncsu.edu/password Password Change site are syncronized in real time.
+The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are maintained in the WolfTech domain. UnityIDs are synchronized daily.
-No user accounts may be created in the Austin domain; however, administrative accounts can be generated in the domain. Any Austin domain user accounts created outside this process may be deleted or disabled without notice. Sponsored accounts and Departmental Accounts may be requested. Staff from the ITS Windows Enterprise Support (WES) will handle the creation of all Active Directory Service user, resource and/or service accounts . Requests should be directed to the Help Desk.
+==Workshop Accounts==
+We are populating the OIT Workshop Accounts (tmp00001 through tmp02000). When your users change their passwords via http://www.ncsu.edu/password, the appropriate AD account will be updated.
+Everyone will need to be careful to remove these accounts from security groups once you’re done with them as they’ll be recycled to others, and we, unfortunately, have no way to track or group these accounts reliably.
 ==Authentication==
-Users logging in to the WolfTech domain will use their UnityID username/password. Users can synchronize their passwords or reset their passwords using the [http://www.ncsu.edu/password NCSU Password Change] page.
+Users logs in to the WolfTech domain with their UnityID username/password. Users can synchronize their passwords or reset their passwords using the regular [http://www.ncsu.edu/password NCSU Password Change] page. All password changes are syncronized in real time.
 ==Non UnityID Accounts==
-OU Owners can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the [[/Naming_Standards|Naming Standards]] section of this website. OU Owners are responsible for all accounts in their department OU.
+OU Admins can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the [[Active_Directory/Naming_Standards|Naming Standards]] section of this website. OU Admins are responsible for all accounts in their department OU.
 ==Computer Accounts==
-When a computer is joined to a domain, a computer account is created in that domain. We recommend that the departmental computers be added to the Austin domain by first adding the computer name into the departmental OU using Active Directory Users and Computers MMC. In order to keep the number of objects in Active Directory under control the following policies will be followed:
+Whenever an OU Admin joins a computer to the domain, a computer account is created.
-•	For computer accounts inside the Computers container: Any computer account in the Compute container for 7 days will be disabled. A disabled computer account in the Computer container that is disabled for over 7 days will be deleted.
-•	For computer accounts outside the Computers container: WES will generate a report of all computer accounts that have remained in an inactive state for over 90 days. Administrators of the Organizational Units containing the old accounts will be informed and encouraged to remove them.
-==Schema Extensions==
+We recommend that OU Admins either create the computer account during the Remote Installation (RIS) of the computer, specifying their OU, or to prestage their computer accounts within their OU structure.
-The WolfTech domain schema will not be extended unless the proposed extension will demonstrably benefit the domain as a whole, is supportable and scalable for the enterprise, and will have minimal impact on service delivery. Because schema extensions are not reversible, extensive testing and review of extensions must occur. Requests to extend the WolfTech schema should be emailed to the WolfTech support group.
+OU Admins are asked to keep the Computers container empty and have been delegated the permissions needed to move any computer accidentally created there to their own OU.
 ==Naming Standards==
-A naming convention for all computers, groups, organizational units (OUs) and group policy objects (GPOs) will be strictly enforced. This is necessary to maintain a unique namespace in the WolfTech domain, since WINS legacy support requires a flat namespace for interoperability across campus. In addition, a naming convention will simplify administrative tasks and allow for automation scripts. Before you add a computer, group, OU or GPO to Austin, please read the [[/Naming_Standards|Naming Standards]] section of this website.
+The WolfTech domain follows a naming standard for all computer and user accounts, groups, GPOs, and OUs. Details of the standard are available at the [[Active_Directory/Naming_Standards|Naming Standards]] section of this website. Following the standard will prevent any interoperability issues within the domain, and allows for automation of many administrative tasks. All OU Admins must read and follow these standards.
-==Domain Restoration==
+==Windows 2008 Forests and Domains==
-Root resources, structures, and data will not be restored except in the event of catastrophic failure of the directory structure. OUs, machines, GPOs, and other directory constructs should be maintained with great care and should be carefully documented, so that errors or omissions at an OU or sub-OU level can be mitigated and rectified.
+The WolfTech Active Directory is based on a single forest, single domain model.
 ==Domain Support Model==
-WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the [[/Documentation/Update_Policy|WolfTech Update Policy]] and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to [[/Software_Packages|Software Packages]] for a complete list of currently available packages).
+WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the [[Active_Directory/Service_Groups#WSUS_Service_Group|WSUS Policies]] and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to [[Active_Directory/Software_Packages|Software Packages]] for a complete list of currently available packages).
 All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.
@@ Line 34: / Line 36: @@
 WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.
-==Windows 2003 Forests and Domains==
+==Domain Restoration==
-The WolfTech Active Directory is a single forest, single domain model.
+Backups of all critical WolfTech data occur daily. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Every OU Admin should maintain records of their OUs, GPOs, groups, computer and user accounts with the upmost care. Detailed documentation of these resources is highly recommended should the OU Admin need to recreate any portion of their OU structure.
+==Schema Extensions==
+Schema extensions are not to be taken lightly as they cannot be reversed. Any proposed extension must be reviewed and shown to offer improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain users. Rigerous examination and testing must occur to ensure the stability of the WolfTech domain. All requests to extend the domain schema should be sent to the WolfTech support group.
+==Trusts between WolfTech and Other NC State Windows Domains==
+Only one-way, non-transitive trusts will be permitted between WolfTech and other Windows domains. The intention of any one-way trust is to allow for the migration from other NC State domains to the central WolfTech domain. Once completed, the trust is removed -- the timeframe of these migrations will be determined at the time of creation.
-==Trusts between WolfTech and Other Windows Domains==
+Two-way trusts between WolfTech and other forests/domains at NC State will not be established unless a strong technical need is determined by the domain adminstrators.
-For all University of Texas at Austin schools, departments and affiliated units operating other Windows domains, only one-way, non-transitive trusts will be permitted between Austin and the Windows domains. The purpose of such trusts is to facilitate migration of services to the Austin Active Directory domain. Their duration will be based on negotiations between departments and ITS. Two-way trusts between University of Texas at Austin schools, departments and affiliated units will not be established. ITS recommends that no additional production Active Directory forests be established at UT Austin.
-Two-way trusts with non-affiliate partners of The University of Texas at Austin must be approved by the Office of the Vice President for Information Technology and the WES team. If it is determined that a security compromise has occurred because of a two-way trust relationship with a partner, then the trust will be immediately terminated. Any two-way trust with a partner shall be reevaluated if the partner chooses to upgrade the Windows domain or at any time as determined by the Office of the Vice President for Information Technology or the WES team.
-NOTE: On a Windows computer that is a member of Austin, the "Authenticated Users" built-in group includes accounts from Austin and user accounts from any domain that holds a two-way trust with Austin. Therefore, the "Authenticated Users" group should be used with discretion. If you want to limit permissions on a resource to only users that are affiliated with The University of Texas at Austin, the best practice is to use the "Domain Users" built-in group.
 ==Roaming Profiles and Individual Logon Scripts==
-Because they are very difficult to support within a large domain and to limit network traffic, roaming profiles and logon scripts assigned to individual users are not supported within the WolfTech domain. Active Directory provides other advanced features such as group policies and folder redirection to define the user environment.
+The goal of the WolfTech domain is to maximize the control of each department over their constituents. As a part of this design, we strive to minimize the central organization's impact on user accounts (which must be maintained centrally). Key to this effort is the lack of support for roaming profiles and individual login scripts.
+These elements of Active Directory user accounts can only be set by the central organization (and only set once) and greatly limit the users' experience upon the domain. In addition to the increased difficulty these services add within a large, distributed domain, they increase network traffic, delay logins, and have traditionally been the cause of many issues here at NC State.
+Active Directory provides other advanced features such as group policies and folder redirection to define the user environment, and these can be customized by each department however they wish. Refer to the [[Active_Directory/Documentation|Documentation]] page for details.
 ==Support Mailing List==
-Technical support personnel with administrative privileges are required to subscribe to the '''wolftech-ad@lists.ncsu.edu''' mailing list, as it is the primary communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the '''activedirectory@lists.ncsu.edu''' list be maintained as well due to its use for campus wide Active Directory issues.
+OU Admins are required to subscribe to the '''wolftech-ad@lists.ncsu.edu''' mailing list, as it our main communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the '''activedirectory@lists.ncsu.edu''' list be maintained as well due to its use for campus wide Active Directory issues.
 ==Service Level==
-The WolfTech Active Directory domain architecture is designed to provide continuous service delivery without interruption or impact due to maintenance or hardware failure. In the event of a service interruption or modification, recovery procedures will be implemented, including notification and resolution.
+The WolfTech Active Directory domain architecture has been specifically designed to provide continuous, redundant service to its member organizations. No impact should be seen as a part of daily maintenance or due to unexpected hardware failure.
+Should service be compromised, recovery procedures will be initiated -- including identification of the issue, notification of the affected OU Admins, and the implementation of solutions to the problem.
+Critical infrastructure has been placed on both NC State campuses to meet Disastery Recovery standards, and it should be noted that as of the writing of this article, the WolfTech domain remained the only domain on campus to pass (with flying colors I might add) review by the NC State Auditers.