IT-STANDARD-04

Approved Date: 03/20/2002
Revision Date: 12/10/2015
Revision Date: 4/18/2024

Description

Authoritative directory source for other campus directories.

This document sets forth the operational rules for the University of Iowa Enterprise Active Directory (AD) environment. The AD environment is integrated into the university’s comprehensive network infrastructure, and includes Microsoft Domain Naming Service, as well as Active Directory Service. It is an authoritative source for other directories that may be necessary to enable specific vendor strategies or applications. 

Scope

This standard applies to all campus IT providers that utilize services provided by the Enterprise Active Directory Infrastructure.  

Roles and Responsibilities

Active Directory Enterprise Administrators

The primary administrator group at the enterprise operational level is the Active Directory Enterprise Administrators (ADEA or Enterprise Administrators) group. The ADEA is responsible for the operation and maintenance of the University of Iowa Active Directory. 

Enterprise Administration Responsibilities

• Active Directory Enterprise Administrators have full access to the root of the University of Iowa Active Directory forest.  They are responsible for the daily operation of the AD forest.
• Enterprise Administrators are also responsible for the DNS services running on the forest root domain controllers. 
• Representative responsibilities of the ADEA are documented in the “Active Directory Enterprise Administrator Handbook”.
• The ADEA will regularly report to IT leadership about its activities and health of the forest. Detailed problem and change logs are an essential part of such reporting.

Domain Administration Responsibilities

• Domain Administrators have full responsibility and administrative control of a specific Active Directory domain within the University of Iowa forest. Each domain must have at least two experienced full-time information technology professionals identified to be the domain administrators.
• Domain Administrators are responsible for supporting the operation of the campus forest by maintaining the good health of their domain. Domain Administrators must respond to ADEA requests to correct any problems that impact the forest.
• DNS for each Active Directory domain will be the responsibility of the respective domain administrators, in collaboration with ADEA and campus hostmaster, as required.
• Domain Administrator assignments are made by the org-level IT director, subject to the requirements of this standard.

University Active Directory Forest 

The forest is the highest level of organization within Active Directory. Within the forest is a collection of domains that share a common infrastructure.  Additional Active Directory forests are not permitted unless approved by the Information Security & Policy Office (ISPO) and the ADEA.

Domain Creation 

The most robust, supportable forest infrastructure is the one that minimizes the number of individual domains. However, there are certain requirements that can only be met by the establishment of multiple domains within the forest.

The process for determining whether a new domain is appropriate for a college or organizational unit wishing to join the forest is based on factors such as

• Ability of requestor to substantially leverage Microsoft AD resources.
• Availability of qualified IT staff, trusted by peers outside the unit.
• Availability of adequate hardware dedicated to support of the domain. 
• Commitment to the operational processes of the forest, including an emergency reporting and response staffing structure.
• Specific functional requirements that cannot be met by the Enterprise AD Forest. 

The ADEA will make a final determination whether to add a new domain, balancing the wishes of the requestor with the health of the enterprise forest. 

Schema Change Management

Because the schema of the AD is a shared resource, with mission-critical dependencies built into its structure, all changes will be submitted to a rigorous Schema Change Management process. 

Additional Requirements

Domain administrator accounts will be provisioned separately from regular administrator accounts. Domain administrator and regular administrator accounts will only be used for those tasks that require their use, in accordance with the principle of least privilege. 

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contains acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.  

They are incorporated into the University of Iowa Policy Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information...) 

• Enterprise Password Standard
• Enterprise Login Standard
• Active Directory Enterprise Administrator Committee

Requests for an exception to IT Policies & Standards can be submitted via the webform link here: Request a Security Exception