Difference between revisions of "Active Directory/Overview"
m |
m |
||
| Line 1: | Line 1: | ||
{{Active_Directory_toc}} | {{Active_Directory_toc}} | ||
| − | + | The WolfTech Active Directory service is offered to all NC State unit for the use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the services offered. | |
| + | |||
| + | ==User Accounts== | ||
| + | The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are loaded into the WolfTech domain. UnityIDs are synchronized daily. All password changes using the http://www.ncsu.edu/password Password Change site are syncronized in real time. | ||
| + | |||
| + | No user accounts may be created in the Austin domain; however, administrative accounts can be generated in the domain. Any Austin domain user accounts created outside this process may be deleted or disabled without notice. Sponsored accounts and Departmental Accounts may be requested. Staff from the ITS Windows Enterprise Support (WES) will handle the creation of all Active Directory Service user, resource and/or service accounts . Requests should be directed to the Help Desk. | ||
| + | |||
| + | ==Authentication== | ||
| + | Users logging in to the WolfTech domain will use their UnityID username/password. Users can synchronize their passwords or reset their passwords using the [http://www.ncsu.edu/password NCSU Password Change] page. | ||
| + | |||
| + | ==Non UnityID Accounts== | ||
| + | OU Owners can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the [[/Naming_Standards|Naming Standards]] section of this website. OU Owners are responsible for all accounts in their department OU. | ||
| + | |||
| + | ==Computer Accounts== | ||
| + | When a computer is joined to a domain, a computer account is created in that domain. We recommend that the departmental computers be added to the Austin domain by first adding the computer name into the departmental OU using Active Directory Users and Computers MMC. In order to keep the number of objects in Active Directory under control the following policies will be followed: | ||
| + | • For computer accounts inside the Computers container: Any computer account in the Compute container for 7 days will be disabled. A disabled computer account in the Computer container that is disabled for over 7 days will be deleted. | ||
| + | • For computer accounts outside the Computers container: WES will generate a report of all computer accounts that have remained in an inactive state for over 90 days. Administrators of the Organizational Units containing the old accounts will be informed and encouraged to remove them. | ||
| + | |||
| + | ==Schema Extensions= | ||
| + | The WolfTech domain schema will not be extended unless the proposed extension will demonstrably benefit the domain as a whole, is supportable and scalable for the enterprise, and will have minimal impact on service delivery. Because schema extensions are not reversible, extensive testing and review of extensions must occur. Requests to extend the WolfTech schema should be emailed to the WolfTech support group. | ||
| + | |||
| + | ==Naming Standards== | ||
| + | A naming convention for all computers, groups, organizational units (OUs) and group policy objects (GPOs) will be strictly enforced. This is necessary to maintain a unique namespace in the WolfTech domain, since WINS legacy support requires a flat namespace for interoperability across campus. In addition, a naming convention will simplify administrative tasks and allow for automation scripts. Before you add a computer, group, OU or GPO to Austin, please read the [[/Naming_Standards|Naming Standards]] section of this website. | ||
| + | |||
| + | ==Domain Restoration== | ||
| + | Root resources, structures, and data will not be restored except in the event of catastrophic failure of the directory structure. OUs, machines, GPOs, and other directory constructs should be maintained with great care and should be carefully documented, so that errors or omissions at an OU or sub-OU level can be mitigated and rectified. | ||
| + | |||
| + | ==Domain Support Model== | ||
| + | WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the [[/Documentation/Update_Policy|WolfTech Update Policy]] and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to [[/Software_Packages|Software Packages]] for a complete list of currently available packages). | ||
| + | |||
| + | All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose. | ||
| + | |||
| + | WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator. | ||
| + | |||
| + | ==Windows 2003 Forests and Domains== | ||
| + | The WolfTech Active Directory is a single forest, single domain model. | ||
| + | |||
| + | ==Trusts between WolfTech and Other Windows Domains== | ||
| + | For all University of Texas at Austin schools, departments and affiliated units operating other Windows domains, only one-way, non-transitive trusts will be permitted between Austin and the Windows domains. The purpose of such trusts is to facilitate migration of services to the Austin Active Directory domain. Their duration will be based on negotiations between departments and ITS. Two-way trusts between University of Texas at Austin schools, departments and affiliated units will not be established. ITS recommends that no additional production Active Directory forests be established at UT Austin. | ||
| + | Two-way trusts with non-affiliate partners of The University of Texas at Austin must be approved by the Office of the Vice President for Information Technology and the WES team. If it is determined that a security compromise has occurred because of a two-way trust relationship with a partner, then the trust will be immediately terminated. Any two-way trust with a partner shall be reevaluated if the partner chooses to upgrade the Windows domain or at any time as determined by the Office of the Vice President for Information Technology or the WES team. | ||
| + | NOTE: On a Windows computer that is a member of Austin, the "Authenticated Users" built-in group includes accounts from Austin and user accounts from any domain that holds a two-way trust with Austin. Therefore, the "Authenticated Users" group should be used with discretion. If you want to limit permissions on a resource to only users that are affiliated with The University of Texas at Austin, the best practice is to use the "Domain Users" built-in group. | ||
| + | |||
| + | ==Roaming Profiles and Individual Logon Scripts== | ||
| + | Because they are very difficult to support within a large domain and to limit network traffic, roaming profiles and logon scripts assigned to individual users are not supported within the WolfTech domain. Active Directory provides other advanced features such as group policies and folder redirection to define the user environment. | ||
| + | |||
| + | ==Support Mailing List== | ||
| + | Technical support personnel with administrative privileges are required to subscribe to the '''wolftech-ad@lists.ncsu.edu''' mailing list, as it is the primary communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the '''activedirectory@lists.ncsu.edu''' list be maintained as well due to its use for campus wide Active Directory issues. | ||
| + | |||
| + | ==Service Level== | ||
| + | The WolfTech Active Directory domain architecture is designed to provide continuous service delivery without interruption or impact due to maintenance or hardware failure. In the event of a service interruption or modification, recovery procedures will be implemented, including notification and resolution. | ||
Revision as of 18:04, 22 September 2007
The WolfTech Active Directory service is offered to all NC State unit for the use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the services offered.
User Accounts
The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are loaded into the WolfTech domain. UnityIDs are synchronized daily. All password changes using the http://www.ncsu.edu/password Password Change site are syncronized in real time.
No user accounts may be created in the Austin domain; however, administrative accounts can be generated in the domain. Any Austin domain user accounts created outside this process may be deleted or disabled without notice. Sponsored accounts and Departmental Accounts may be requested. Staff from the ITS Windows Enterprise Support (WES) will handle the creation of all Active Directory Service user, resource and/or service accounts . Requests should be directed to the Help Desk.
Authentication
Users logging in to the WolfTech domain will use their UnityID username/password. Users can synchronize their passwords or reset their passwords using the NCSU Password Change page.
Non UnityID Accounts
OU Owners can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the Naming Standards section of this website. OU Owners are responsible for all accounts in their department OU.
Computer Accounts
When a computer is joined to a domain, a computer account is created in that domain. We recommend that the departmental computers be added to the Austin domain by first adding the computer name into the departmental OU using Active Directory Users and Computers MMC. In order to keep the number of objects in Active Directory under control the following policies will be followed: • For computer accounts inside the Computers container: Any computer account in the Compute container for 7 days will be disabled. A disabled computer account in the Computer container that is disabled for over 7 days will be deleted. • For computer accounts outside the Computers container: WES will generate a report of all computer accounts that have remained in an inactive state for over 90 days. Administrators of the Organizational Units containing the old accounts will be informed and encouraged to remove them.
=Schema Extensions
The WolfTech domain schema will not be extended unless the proposed extension will demonstrably benefit the domain as a whole, is supportable and scalable for the enterprise, and will have minimal impact on service delivery. Because schema extensions are not reversible, extensive testing and review of extensions must occur. Requests to extend the WolfTech schema should be emailed to the WolfTech support group.
Naming Standards
A naming convention for all computers, groups, organizational units (OUs) and group policy objects (GPOs) will be strictly enforced. This is necessary to maintain a unique namespace in the WolfTech domain, since WINS legacy support requires a flat namespace for interoperability across campus. In addition, a naming convention will simplify administrative tasks and allow for automation scripts. Before you add a computer, group, OU or GPO to Austin, please read the Naming Standards section of this website.
Domain Restoration
Root resources, structures, and data will not be restored except in the event of catastrophic failure of the directory structure. OUs, machines, GPOs, and other directory constructs should be maintained with great care and should be carefully documented, so that errors or omissions at an OU or sub-OU level can be mitigated and rectified.
Domain Support Model
WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the WolfTech Update Policy and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to Software Packages for a complete list of currently available packages).
All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.
WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.
Windows 2003 Forests and Domains
The WolfTech Active Directory is a single forest, single domain model.
Trusts between WolfTech and Other Windows Domains
For all University of Texas at Austin schools, departments and affiliated units operating other Windows domains, only one-way, non-transitive trusts will be permitted between Austin and the Windows domains. The purpose of such trusts is to facilitate migration of services to the Austin Active Directory domain. Their duration will be based on negotiations between departments and ITS. Two-way trusts between University of Texas at Austin schools, departments and affiliated units will not be established. ITS recommends that no additional production Active Directory forests be established at UT Austin. Two-way trusts with non-affiliate partners of The University of Texas at Austin must be approved by the Office of the Vice President for Information Technology and the WES team. If it is determined that a security compromise has occurred because of a two-way trust relationship with a partner, then the trust will be immediately terminated. Any two-way trust with a partner shall be reevaluated if the partner chooses to upgrade the Windows domain or at any time as determined by the Office of the Vice President for Information Technology or the WES team. NOTE: On a Windows computer that is a member of Austin, the "Authenticated Users" built-in group includes accounts from Austin and user accounts from any domain that holds a two-way trust with Austin. Therefore, the "Authenticated Users" group should be used with discretion. If you want to limit permissions on a resource to only users that are affiliated with The University of Texas at Austin, the best practice is to use the "Domain Users" built-in group.
Roaming Profiles and Individual Logon Scripts
Because they are very difficult to support within a large domain and to limit network traffic, roaming profiles and logon scripts assigned to individual users are not supported within the WolfTech domain. Active Directory provides other advanced features such as group policies and folder redirection to define the user environment.
Support Mailing List
Technical support personnel with administrative privileges are required to subscribe to the wolftech-ad@lists.ncsu.edu mailing list, as it is the primary communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the activedirectory@lists.ncsu.edu list be maintained as well due to its use for campus wide Active Directory issues.
Service Level
The WolfTech Active Directory domain architecture is designed to provide continuous service delivery without interruption or impact due to maintenance or hardware failure. In the event of a service interruption or modification, recovery procedures will be implemented, including notification and resolution.