|
|
ForwardFor many years, departments at MSU have relied on the Microsoft Windows NT domain model to manage their Windows computing environments. With the release of Windows 2000, Microsoft has dramatically changed the manner in which networks are managed by introducing a new directory service called Active DirectoryTM, or AD. Many of Microsoft’s current and future software packages rely on their integration with Active Directory. The upgrade to Active Directory requires considerable planning and additional administrative labor and hardware costs, beyond the reach for many smaller offices. With the prospect of many departments upgrading to Windows 2000, Administrative Information Services and MSU's Computer Laboratory have identified the need to organize a root level Active Directory structure to minimize administrative tasks, maximize benefits to clients and position ourselves for the next generation of Microsoft-based network services. DefinitionsSystem Sponsor, System Manager, Facility Staff, and User will be used as defined in Section II of the MSU Acceptable Use Policy (AUP), which can be found at http://www.msu.edu/dig/aup/msuaup.html. An Enterprise Administrator is a user ID who has full access to the top-level domain of the Active Directory structure. Microsoft’s Active Directory service is a central component of the Windows® 2000 operating system platform. AD is the central authority that manages the identities and brokers the relationships between these distributed resources. AD lets organizations store information in a hierarchical, object-oriented fashion, and provides multi-master replication to support distributed network environments. The ‘root’ of the Active Directory is the basis for an AD tree and contains Global Catalog, DNS and other services that are required for the AD structure to communicate between resources. AD Root DomainLogin AccessEnterprise Administrator ID’s shall be limited to two persons within AIS and two within the CL. All Enterprise Administrators will sign a security agreement, and those defined as child Domain Administrators will receive a copy for their records. Root ResourcesOnly the root domain servers, AD-wide services and Enterprise Administrator login ID’s will exist in the root domain. All other resources shall exist in child Domains. The ownership of the IP addressing scheme shall remain the property of campus Network Services and their current policies shall be adhered to. AD DNS shall be used for AD resources and authentication only. Systems that provide publicly available services advertised by DNS such as mail and web services will have DNS listings with the MSU Campus DNS. Schema changesThe AD Schema will not be extended unless the proposed extension will demonstrably benefit the AD forest as a whole, is supportable and scalable for the university and will have minimal impact on service delivery. Acceptance of schema changes will be through consensus of all Enterprise Administrators after the consultation of Domain Administrators and Network Communication Committee. Child DomainsA naming convention for all AD objects (workstations, servers, printers, groups, and OU's) shall exist, whereby the joining child Domain Administrator shall work in conjunction with the EA that is adding the Domain to the AD structure. This is necessary to maintain a unique namespace in AD, as WINS legacy support requires a flat namespace for interoperability. EA’s will not force group policy or otherwise administer child Domains unless requested by the System Sponsor. Domain Administrators or System Sponsors can implement group policies in Domains which they administer. System Sponsors are accorded wide discretion in establishing reasonable and appropriate policies applicable to their systems as stated in Section III-2 of the MSU AUP. SecurityActive Directory security will follow the Enforcement Section (V) of the MSU AUP. |
Send mail to ais311@msu.edu with questions or comments about this web site.
|
