Enterprise Active Directory Policy
Policy Number: IT-02
Approved Date: 03/20/2002
Revision Date: 12/10/2015
Description: Authoritative directory source for other campus directories.
This document sets forth the basic operational policies, guidelines and rules for the University of Iowa Enterprise Active Directory (AD) environment. The AD environment is integrated into the University’s comprehensive network infrastructure, and includes Microsoft Domain Naming Service, as well as Active Directory Service. Information about people, applications, and computing resources is distributed throughout the University and Hospital information systems. Our campus and hospital networks have evolved from loose collections of connected devices to a complex, integrated system made up of interdependent resources. As a result, contemporary operating systems need to be able to manage the relationships between distributed network resources. Recognizing the importance of directory services to assist the campus IT community, ITS developed an Enterprise Directory Service, using LDAP standard access, integrated with authoritative sources and systems of information. This directory (currently Secureway from IBM, running on an AIX platform) was put into production in November 2000. It has requisite redundancy and security. It now becomes an authoritative source for other directories that may be necessary to enable specific vendor strategies or applications. One such directory, Active Directory, an integral part of Microsoft’s newest operating system Windows 2000, is required to derive full benefit from Microsoft products. A collaborative process of designing AD architecture, policy and management of domains at an enterprise or campus-wide level has been developed for the implementation of Active Directory for both the hospital and the campus. The technical basis of this design is the result of an inter-collegiate project (facilitated by Microsoft Consulting Services and led by ITS).
This policy applies to all campus IT providers that utilize Windows devices connected to the campus network. It is the collaborative consensus of policy and practice for the design, implementation and management of shared services. The technical manifestation of the architecture is the single forest, which contains all the domains on the campus. No other forests will be recognized by the campus network, unless approved under this policy. Compliance with these guidelines is essential to the coordinated operation and expansion of services for the benefit of the full campus and hospital community of users. Changes to the policy and practices can be made as situations warrant, through the oversight committee defined below.
I. Governance - The creation, oversight and daily operation of this policy is vested in the following groups, in concert with existing IT providers.
Enterprise IT Committee
The primary advisory structure for the operation of enterprise wide projects and shared services is the Enterprise IT Committee (EITC). The EITC is responsible for oversight of the campus Active Directory forest. In addition to policy, Active Directory version upgrades and feature sets will be deployed at the direction of the EITC.
Active Directory Enterprise Administrators
The primary administrator group at the enterprise operational level is the Active Directory Enterprise Administrators (ADEA or Enterprise Administrators) group. The initial membership of this group is included in the attachments. The primary orientation of the Enterprise Administrators is to the operation and maintenance of the University of Iowa Active Directory forest, only. The group is a small, trusted set of individuals that work closely as a team to provide reliable, 24 x 7 operation of the UI forest and support for AD domains, as required to preserve the health of the forest. Due to the University-wide responsibilities of this group, the employing unit for each ADEA member must concur and support these global responsibilities. This means that sufficient time for forest administration, continuing professional education, and status reporting must be made the highest daily priority for each member. It is possible that this could be a full time commitment of the individual, depending on operational demands.
Enterprise Administration Responsibilities
- Active Directory Enterprise Administrators have full access to the root of the University of Iowa Active Directory forest. They are responsible for the daily operation of the AD forest.
- Enterprise Administrators are also responsible for the DNS services running on the forest root domain controllers. It is expected that any changes will be planned and executed in collaboration with ITS Telecommunication and Networking Services (TNS) staff, as required.
- Because of the nature of access and institutional responsibilities, members of the Enterprise Administrators group serve at the discretion of the EITC. New members will be considered through the nomination of trusted administrators. A nomination of a new administrator must be unanimous among the existing enterprise administrators.
- Three to five individuals may be assigned to the ADEA, with a six-month probationary period. Enterprise Administrators are expected to work as a team and serve as mentors to other campus AD domain and OU administrators.
- Representative responsibilities of the ADEA are documented in the “Active Directory Enterprise Administrator Handbook”.
- The ADEA will regularly report to the EITC about its activities and health of the forest. Detailed problem and change logs will be an essential part of such reporting.
Domain Administration Guidelines
- Domain Administrators have full responsibility and administrative control of a specific Active Directory domain within the University of Iowa forest. Each domain must have at least two experienced full-time information technology professionals identified to be the domain administrators.
- Domain Administrators must be good Active Directory citizens. Domain Administrators are responsible for supporting the operation of the campus forest by maintaining the good health of their domain. Domain Administrators must respond to ADEA requests to correct any problems that impact the forest.
- DNS for each Active Directory domain will be the responsibility of the respective domain administrators, again in collaboration with ADEA and TNS, as required.
- Domain Administrator assignments are made by the IT manager/director for the college or administrative unit, subject to the issues covered by this policy.
Enterprise Exchange Administrators
The Enterprise Exchange Administrator Group (EEA) is responsible for enterprise-level Exchange related activities. Active Directory does not allow the ADEA to delegate all of the necessary rights to the local Exchange administrators. These Exchange support activities are performed by the EEA.
II. Single University Active Directory Forest
The Active Directory forest is the top-level logical entity in Windows. Within the forest is a collection of domains that share a common infrastructure. The University has selected a single forest model because it presents the best opportunity to provide a consistent interface to the end-user from anywhere on the network. One of the characteristics of a single forest is the sharing of information between Exchange calendars. This model requires considerable agreement on policy and operational processes to be successful.
The operation and nature of the forest relationships is not directly tied to political, organizational or economic structures. The goal of the forest is that interoperability by all relevant individuals and systems is enhanced by their membership. It certainly includes faculty, staff and students, and may include patients, distance education students, alumni, and others as appropriate. To that end, inclusive approaches will be established to promote participation in the UI AD Forest. Likewise, attempts to establish alternative forest structures will not be supported.
Organizational Units in a Domain
It is our goal to minimize the number of domains for a variety of technical, reliability and economic reasons. There will be many instances in which a new organizational unit (OU), with delegated authorities will be fully sufficient, instead of a new domain. Any campus unit wishing to establish a new organizational unit within an existing domain may do so by contacting an administrator of an existing domain or ADEA member.
Domain Creation Guidelines
The simplest structure is the strongest. The most robust, supportable forest infrastructure is the one that minimizes the number of individual domains. However, there are technical and political reasons that can only be met by the establishment of multiple domains within the single forest.
The process for determining whether a new domain is appropriate for a college or organizational unit wishing to join the forest is based on factors such as:
- Ability of requestor to substantially leverage Microsoft W2K/NT resources.
- Availability of qualified IT staff, trusted by peers outside the unit.
- Availability of adequate hardware dedicated to support of the domain.
- Commitment to the operational processes of the forest, including an emergency reporting and response staffing structure.
- Specific functionality requirements that cannot be met by an Organizational Unit (OU)
Meeting the minimum requirements for domain admission does not automatically guarantee that an organization will be allowed to establish a separate domain in the Active Directory. The ADEA will balance the wishes of the requestor with the health of the enterprise forest. Assistance will be provided by the Enterprise Administrators to help install and configure all new domains, so that they integrate properly with the existing environment.
Active Directory Domain Name Service (DNS)
The primary purpose in defining DNS responsibilities is to deploy the most robust and feature-rich environment possible, without reducing the reliability and effectiveness of the existing campus network.
TNS provides the campus DNS oversight and management. Primary DNS for the forest root domain will be implemented and managed by the Enterprise Administrators. DNS authority for the forest root domain is delegated by TNS from the BIND servers hosting the primary UIOWA.EDU domain DNS services. The forest DNS is hosted on Windows domain controllers in the Active Directory forest root. TNS, in collaboration with the Enterprise Administrators, will determine DNS updates required to support decisions to add domains to the forest. Actual changes to DNS on the forest root domain controllers will be made by an AD Enterprise Administrator in collaboration with TNS. DNS administration for each Active Directory domain (other than the root domain) will be the responsibility of the respective Domain Administrator, again in collaboration with both ADEA and TNS, as required.
Schema Change Management
Because the schema of the AD is a shared resource, with mission-critical dependencies built into its structure, all changes will be submitted to a rigorous Schema Change Management process. While this may require negotiation of desired attributes with other users, it is essential to sustain the reliability of the directory. Required characteristics of this process: Identifying needed changes, documenting the need for changes, testing schema changes, documenting test results, and presentation of results, before implementation.
Request for schema changes are submitted to the ADEA. After evaluation and assessment by the ADEA, a recommendation for implementation timing, the precise specification of the change, and an assessment of impact on all AD users will be made to the EITC. EITC approval is required before any changes are implemented. Testing of the change is required, but may occur before or after the ADEA recommendation.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information...)
- Enterprise Password Policy
- Enterprise Login ID Standard
- Active Directory Enterprise Administrator Committee
Requests for an exception to IT Policies & Standards can be submitted via the webform link here: Request a Security Exception