Active Directory/Overview

The WolfTech Active Directory service is offered to all NC State unit for the use in managing their Microsoft Windows environment. The following policies should help to provide an overview of the services offered.

User Accounts

The UnityID username/password information for all active students, faculty and staff of the academic units here at NC State University are loaded into the WolfTech domain. UnityIDs are synchronized daily. All password changes using the http://www.ncsu.edu/password Password Change site are syncronized in real time.

Authentication

Users logging in to the WolfTech domain will use their UnityID username/password. Users can synchronize their passwords or reset their passwords using the NCSU Password Change page.

Non UnityID Accounts

OU Admins can create, delete and modify non-UnityID account within their OUs. However, these accounts must follow the naming conventions layed out in the Naming Standards section of this website. OU Admins are responsible for all accounts in their department OU.

Computer Accounts

When a computer is joined to a domain, a computer account is created in that domain. We recommend that the departmental computers be added to the WolfTech domain by first adding the computer name into the departmental OU using the Active Directory Users and Computers MMC.

In order to keep the number of objects in Active Directory under control the following policies will be followed:

• For computer accounts inside the Computers container: Any computer account in the Computers container for 7 days will be disabled. A disabled computer account in the Computers container that is disabled for over 7 days will be deleted.
• For computer accounts outside the Computers container: WolfTech will generate a report of all computer accounts that have remained in an inactive state for over 90 days. OU Administrators of the Organizational Units containing the old accounts will be informed and encouraged to remove them.

Naming Standards

A naming convention for all computers, groups, organizational units (OUs) and group policy objects (GPOs) will be strictly enforced. This is necessary to maintain a unique namespace in the WolfTech domain, since WINS legacy support requires a flat namespace for interoperability across campus. In addition, a naming convention will simplify administrative tasks and allow for automation scripts. Before you add a computer, group, OU or GPO to WolfTech, please read the Naming Standards section of this website.

Windows 2003 Forests and Domains

The WolfTech Active Directory is a single forest, single domain model.

Domain Support Model

WolfTech Computer Support maintains all domain controllers required for the WolfTech Active Directory domain. In addition, the central patch management (WSUS) is maintained for any OU not currently running their own -- though these units will be subject to the WolfTech Update Policy and should be sure to review it thoroughly. All central file services, including the domain DFS roots will also be maintained centrally -- these will be used to provide any university wide software packages (refer to Software Packages for a complete list of currently available packages).

All other support for departmental and college computers, servers, and unit specific group policies are the responsibility of the OU administrators of those units. Full OU administrative rights have been delegated for this purpose.

WolfTech Computer Support will address any questions or concerns of OU Administrators, but all end user requests or questions should be addressed to the appropriate local Systems Administrator.

Domain Restoration

Root resources, structures, and data will not be restored except in the event of catastrophic failure of the directory structure. OUs, machines, GPOs, and other directory constructs should be maintained with great care and should be carefully documented, so that errors or omissions at an OU or sub-OU level can be mitigated and rectified.

Schema Extensions

The WolfTech domain schema will not be extended unless the proposed extension will demonstrably benefit the domain as a whole, is supportable and scalable for the enterprise, and will have minimal impact on service delivery. Because schema extensions are not reversible, extensive testing and review of extensions must occur. Requests to extend the WolfTech schema should be emailed to the WolfTech support group.

Trusts between WolfTech and Other Windows Domains

Only one-way, non-transitive trusts will be permitted between WolfTech and other Windows domains. The purpose of such trusts is to facilitate migration of services to the WolfTech Active Directory domain. Their duration will be based on negotiations between WolfTech Computer Support and the OU Admins affected. Two-way trusts between WolfTech and other forests/domains at NC State will not be established.

Roaming Profiles and Individual Logon Scripts

Because they are very difficult to support within a large domain and to limit network traffic, roaming profiles and logon scripts assigned to individual users are not supported within the WolfTech domain. Active Directory provides other advanced features such as group policies and folder redirection to define the user environment. Refer to the Documentation page for details.

Support Mailing List

Technical support personnel with administrative privileges are required to subscribe to the wolftech-ad@lists.ncsu.edu mailing list, as it is the primary communication method on matters concerning the WolfTech Active Directory domain. It is advised that subscriptions to the activedirectory@lists.ncsu.edu list be maintained as well due to its use for campus wide Active Directory issues.

Service Level

The WolfTech Active Directory domain architecture is designed to provide continuous service delivery without interruption or impact due to maintenance or hardware failure. In the event of a service interruption or modification, recovery procedures will be implemented, including notification and resolution.