Identifying Design Criteria
When designing the Active Directory structure, the primary design criteria is administrative control. The best Active Directory designs are based on the administrative control of the objects within Active Directory, and then the group policy structure is created. In the earliest Windows directory service structures, the domain was a security boundary as well as the unit of administrative control. That all changed once Active Directory was introduced. Although domains may still be required based on differing security needs, mechanisms are in place that allow every domain in the forest to be controlled by a central administrative group . For some companies, this makes administration easy. Other companies find that this capability causes many political battles among differing divisions. This reason alone is enough to make sure that the designer weighs all of the options available prior to making any decisions about the future Active Directory structure.
| Note | As my technical editor likes to point out, the top 4 layers of the 11 layer OSI model are financial, political, legal, and religious! |
When considering the various design options, the network architect needs to identify where control is granted within the forest. Due to the security requirements of Active Directory, identifying the users who has control over the services and objects within Active Directory becomes a priority early in the design phase. Those groups who are responsible for the resources are known as either service administrators or data administrators.
Because the service administrator has control over the entire directory service implementation for the forest, or at the very least, their own domain, they have to be an individual or group within the organization who understands Active Directory and the ramifications of making changes to the directory service. Usually senior members of the technical team are identified as the service administrators. Users who are added to the Domain Admins global group automatically have the rights and permissions to be the service administrators for the domain where the Domain Admins group resides. Users who are added to the Domain Admins global group within the forest root have the ability to add themselves to the Enterprise Admins group and become service administrators for the entire forest. Because these groups have so much power over Active Directory, make sure to monitor their membership.
Identifying Service Administrators
In an Active Directory environment, service administrators control the servers defined as domain controllers. Their primary responsibility is to make sure the directory service is available so that users and applications can gain access to the Active Directory. Because they are responsible for the availability of the domain controller, they have access to the configuration settings on the servers and must make sure access is not interrupted .
Service administrators must be trustworthy individuals within the organization. Because they have been granted rights that allow them to make configuration changes within the directory service, they can alter the functionality of Active Directory. Stakeholders from every domain that will be incorporated within the forest should have a voice in determining who is allowed to be a service administrator for the forest. Every domain s service administrator has control over the directory service from their own domain, but it cannot be guaranteed that administrators from other domains will not be able to gain access. If you need complete autonomy, you must consider the effects of having multiple forests. We will discuss these options in the section Designing the Forest Structure later in this chapter.
Due to the fact that service administrators have control over all aspects of Active Directory and can modify settings of objects, they can perform the same functions as the data administrators. In many cases, especially in smaller organizations, the service administrators and the data administrators will be the same administrators.
Identifying Data Administrators
Data administrators control the objects within Active Directory. This includes the user, computer, and group accounts, shared folder objects, printer objects, and any other objects that they have been granted authority over. Data administrators also control any of the member servers that use Active Directory. Some examples of data administrators include those users that add workstations and member servers to the domain, Exchange Server administrators, and the staff responsible for adding and modifying user accounts.
Although the service administrator has the ability to perform the same functions as the data administrator and could be the same person or group in smaller organizations, you usually find that the data administrators are individuals responsible for maintaining a specific group of objects within the Active Directory forest or domain. By delegating responsibilities to other groups within the organization, you can maximize the administrative efficiency. The service administrators can concentrate on maintaining the Active Directory structure, whereas the data administrators are only able to affect the objects for which they are responsible.
Data administrators have to trust the service administrators of the forest and domain. Active Directory does not have accounts that are solely data administrators; it is up to the service administrators to create the groups that define the data administrators. Once the rights to perform tasks are delegated to the data administrator groups, users who are added to those groups have the ability to configure the objects they are responsible for, but they do not have complete autonomy over those objects. The only way data administrators can achieve complete autonomy is to build a separate forest in which they are the service administrators as well. In the next section, we look at the different types of administration and how you can achieve data and service autonomy or isolation.
EAN: 2147483647
Pages: 159