Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server 2008 : Designing the Active Directory Administrative Model (part 1) - Delegating Active Directory Administration

4/17/2013 3:49:51 PM

As an enterprise administrator, you will plan and design the administrative model for AD DS within your enterprise. You are unlikely to create groups, delegate control of organizational units (OUs), or configure and link Group Policy objects yourself, but you will design a delegation structure so that less senior members of staff can carry out the tasks required to implement your plans without being given more rights and permissions than they need to do their job.

Because of the full-trust model in an Active Directory domain tree, domain and server administrators seldom need to configure trusts. Implementing a permission and administration model in a multi-forest enterprise network is, therefore, likely to be a task you do yourself, and you need to work with universal groups and forest trusts.

Your planning should always consider the structures already available to you by default. You should not plan a new domain local security group, for example, when a built-in local security group already exists that facilitates your aims. Therefore, be aware of the security groups that are installed by default or installed automatically when features such as read-only domain controllers (RODCs) are implemented.

You are unlikely to create OUs and Group Policy objects (GPOs) personally, but you need to plan which OUs and GPOs are created and how they are linked. You need to delegate group and OU management. You will not typically audit ordinary users personally, but you do need to audit the high-level activities of your administrative team.

Designing and planning an Active Directory administrative model in the enterprise is a complex task. This lesson discusses the aspects of this task.

Real World

Ian McLean

One of the most difficult things a manager needs to learn is how to delegate. As an enterprise administrator, that’s what you are—a manager. You’re a manager with a high level of technical knowledge, but still a manager, and that’s where many excellent server and network administrators fall down. You might be a first-class coder who can produce Microsoft Windows PowerShell and batch files without even thinking about it. You might be a troubleshooting wizard who can identify a network or server fault while others are still rolling up their sleeves; your Group Policy configuration might be immaculate. However, if you are busy changing a password for a forgetful user while the entire enterprise goes wrong for lack of planning, you are not doing your job.

You need to plan. You need to organize. You need to ensure that your staff is given the appropriate training—and that does not mean training people yourself. You need to delegate jobs to people who (in your opinion) know how to do them. You need to ensure that they receive advice and training if they don’t.

The main problem for most fledgling enterprise administrators is lack of control. You need to trust your staff, and if one of your junior administrators makes a mistake, you must take the responsibility for a mistake that wasn’t yours. You will wear a suit and seldom, if ever, crawl behind wiring racks. You need to accept that your server administrators know more about their particular sections of the network than you do.

Others will configure servers and create OUs. You will plan the structure of your Active Directory forest or forests and the permissions structure in your enterprise. You still need to keep up to date technically—you can’t plan a Windows Server 2008 domain unless you know the features Windows Server 2008 offers you—but your job is planning, supervising, and administering.


1. Delegating Active Directory Administration

A well-planned delegation strategy enables you to increase security and manage resources efficiently while meeting administrative requirements. Delegation increases administrative efficiency, decentralizes administration, reduces administrative costs, and improves the manageability of IT infrastructures.

Delegation is the transfer of administrative responsibility for a specific task from a higher authority to a lower authority. From a technical perspective, delegation of administration involves a senior administrator granting a controlled set of permissions to a less experienced administrator to carry out a specific administrative task.

Typically, the administrative model in large organizations with enterprise networks is one in which different divisions and business units share a common IT infrastructure. This IT infrastructure can span multiple organizational and geographic boundaries. Such an environment generally has the following requirements:

  • Organizational structure requirements Part of an organization might participate in a shared infrastructure to save costs but require the ability to operate independently from the rest of the organization.

  • Operational requirements An organization might place unique constraints on directory service configuration, availability, or security.

  • Legal requirements An organization might have legal requirements to operate in a specific manner such as restricting access to confidential information.

  • Administrative requirements Different organizations might have different administrative needs, depending on existing and planned IT administration and support models.

  • Organization size Organizations can be small, medium, or large. A complex and sophisticated delegation structure for a small organization with a small team of administrators is unlikely to work.

When planning a delegation strategy, you need to have a very good grasp of your organization’s requirements. These requirements help you plan the degree of autonomy and isolation within the organization or within sectors of the organization. Autonomy is the ability of the administrators of an organization to manage independently all or part of service management (service autonomy) and all or part of the data stored in or protected by AD DS (data autonomy).

Isolation is the ability of an administrator or an organization to prevent other administrators from controlling or interfering with service management (service isolation) and from controlling or viewing a subset of data in AD DS or on member servers and client computers that have accounts in AD DS (data isolation).

In a large organization, autonomy and isolation need to be carefully managed. You might want to manage some services on an enterprise-wide basis. For example, it is a valid model for even a very large organization to have a single domain tree or even a single domain with many sites. You might want to implement distributed file system replication to replicate AD DS settings throughout the enterprise, but your Australian sites want to control their own password policy. You could use fine-grained security policies in this instance, although this might not be practical for a large number of users, and it requires a domain functional level of Windows Server 2008—not a good idea if you have Microsoft Windows 2000 Server or Microsoft Windows Server 2003 domain controllers (DCs) in a domain. Sometimes strict service or data isolation requires creating a separate forest or a subdomain.

Classifying Organizations

One of your first steps in planning an organization’s delegation structure is to classify the organization. Organizations can be classified based on their size in the following categories:

  • Small organizations Typically, these have 25 to 50 workstations and three to five servers.

  • Medium organizations Typically, these have 50 to 500 workstations and 4 to 50 servers.

  • Large organizations Typically, these have at least 500 workstations and 50 servers.

Small and medium organizations typically have a very small number of administrative groups that are responsible for managing all aspects of AD DS. Small and medium organizations might not need to create an extensive delegation model. Large organizations generally must distribute and delegate administrative authority to various administrative groups, possibly delegating certain aspects of Active Directory management to centralized teams and delegating other aspects to decentralized teams. Although large organizations will find the delegation capabilities of AD DS most useful, small and medium organizations can often achieve enhanced security, increased control, more accountability, and reduced costs by implementing a degree of delegation.

Delegation Benefits and Principles

By efficiently delegating administrative responsibilities among various administrative groups, you can address the specific requirements of administrative autonomy and successfully manage an AD DS environment. Delegation of administration provides the following benefits:

  • Each administrative group has a defined and documented scope of authority and set of responsibilities.

  • Administrative authority is decentralized.

  • The delegation of administrative responsibility addresses the security concerns of the organization.

When you are planning the delegation of administration, adhere to the following principles:

  • Distribute administrative responsibilities on the basis of least privilege This ensures that the individual or group of individuals to whom the task has been delegated can perform only the tasks that are delegated and cannot perform tasks that have not been explicitly delegated or authorized.

  • Increase administrative efficiency Many of the responsibilities for managing Active Directory content can be assigned to the directory service itself. This automates management and increases efficiency.

  • Reduce administrative costs You can do this by facilitating shared administrative responsibility. For example, you could allocate administrative responsibility for providing account support to all accounts in the organization to a specific group. You need to ensure, however, that the organization’s autonomy requirements are met.

Managing Active Directory Through Delegation

The primary reason for delegating administrative authority is to allow organizations to manage their Active Directory environments and the data stored in AD DS efficiently. Delegation of administration makes Active Directory management easier and enables organizations to address specific administrative needs.

The administrative responsibilities of managing an Active Directory environment fall into two categories:

  • Service management Administrative tasks involved in providing secure and reliable delivery of the directory service

  • Data management Administrative operations involved in managing the content stored in or protected by the directory service

Service Management

Service management includes managing all aspects of the directory service that are essential to ensuring the uninterrupted delivery of the directory service across the enterprise. Service management includes the following administrative tasks:

  • Adding and removing DCs

  • Managing and monitoring replication

  • Ensuring the proper assignment and configuration of operations master roles

  • Performing regular backups of the directory database

  • Managing domain and DC security policies

  • Configuring directory service parameters such as setting the functional level of a forest or putting the directory in the special List-Object security mode

Data Management

Data management includes managing the content stored in AD DS as well as content protected by Active Directory. Data management tasks include the following:

  • Managing user accounts

  • Managing computer accounts

  • Managing security groups

  • Managing application-specific attributes for AD DS–enabled and AD DS–integrated applications

  • Managing workstations

  • Managing servers

  • Managing resources

You delegate Active Directory administrative functions such as service and data management in response to the geographical, business, and technical infrastructure of an enterprise. A well-implemented delegation model provides coverage for all aspects of Active Directory management, meets autonomy and isolation requirements, efficiently distributes administrative responsibilities (with a limited subset of tasks delegated to nonadministrators), and delegates administrative responsibilities in a security-conscious manner.

Defining the Administrative Model

To manage an enterprise environment effectively, you need to define how tasks will be assigned and managed. Your plan for delegating responsibility for the network defines the enterprise’s administrative model. Microsoft identifies the following three types of administrative models that you can use to allocate the management of the enterprise network logically between individual administrators or departments within the enterprise’s IT function:

  • Centralized

  • Distributed

  • Mixed

If no administrative model exists, the environment is managed chaotically, and most administrative tasks are typically handling emergencies. In this case, tasks such as server updates and modifications are frequently performed on the spot without proper testing. When administrative and maintenance tasks are not performed in a consistent manner, securing the environment and auditing administrative events are exceptionally difficult. Environments that do not follow an administrative model are administered reactively rather than proactively.

To identify the correct administrative model, determine which services are needed in each location in the enterprise and where the administrators with the skills to manage these services are located. Placing administrators in branch offices that require very little IT administration is usually a waste of money (which is one of the major reasons that Windows Server 2008 introduced RODCs).

Centralized Administration Model

In the centralized administration model, IT-related administration is controlled by one group, typically located at the head office or possibly at the enterprise’s research facility. In this model, all critical servers are housed in one location (or a very few locations), which facilitates central backup and an appropriate IT staff member being available when a problem occurs.

For example, if an organization locates mission-critical servers (such as Microsoft Exchange Server 2007 messaging servers) at each site, a qualified staff member might not be available at a remote site if a server needs to be recovered from backup, and remote administration (if possible) would be required. In the centralized administration model, all the servers running Exchange Server 2007 and the appropriate administrator would be located in a central office, enabling recovery and administration to be handled as efficiently and effectively as possible.

The centralized administration model is typically used in organizations that have one large central office with a few branch offices and typically a single Active Directory domain. Delegation is by function rather than by geographical location, and most tasks are allocated to IT staff, although some can be delegated to nonadministrators. For example, the head of the Accounting department could be delegated the task of resetting passwords for all the users in the Accounting OU (but have no rights in the rest of the organization).

The Distributed Administration Model

In the distributed administration model, tasks are delegated to IT and non-IT staff members in various locations. The rights to perform administrative tasks can be granted based on geography, department, or job function. Also, administrative control can be granted for a specific network service such as DNS or a Dynamic Host Configuration Protocol (DHCP) server. This enables separation of server and workstation administration without giving nonadministrators the rights to modify network settings or security. A sound, well-planned delegation structure is essential in the distributed administration model.

Exam Tip

Note that the exam does not include direct references to Dynamic DNS. It will, however, refer to dynamic updates as well as to Active Directory–integrated DNS zones. Any time a DNS server is updated automatically through authorized clients, it is a DDNS server. Keep this in mind when taking the exam.

Windows Server 2008 enables granular administrative rights and permissions, giving enterprise administrators more flexibility when assigning tasks to staff members. Distributed administration based only on geographical proximity is commonly found among enterprises that use the distributed administration model. If a server, workstation, or network device needs attention on a site whose size justifies having its own administrator or administrative team, the administrative rights to carry out the required tasks should be delegated to local administrators.

The distributed administration model is commonly used in enterprises that have a number of large, geographically distributed locations—for example, a multinational organization. Such organizations typically have several domains or even several forests. Although rights are delegated to both administrative and nonadministrative staff on a regional basis, a group of enterprise administrators can typically perform high-level administrative tasks across domains and across forests.

Mixed Administration Model

The mixed administration model uses both centralized and distributed administration. For example, you could define all security policies and standard server configurations from a central site but delegate the implementation and management of key servers by physical location. Administrators can configure servers in their own location but cannot configure servers in other locations. You can distribute the rights to manage only local user accounts to local administrators and restricted rights over specific OUs to nonadministrative staff. As with the distributed administrative model, an enterprise administrators group would have rights in all locations. This model is used in medium-sized organizations with a few fairly large sites that are geographically separated but in which the main office wants to keep control of certain aspects of the operation.

Other -----------------
- BizTalk Server 2006 : Starting a New BizTalk Project - Organizing Artifacts in BizTalk 2006
- BizTalk Server 2006 : Starting a New BizTalk Project - Structuring and Integrating with Visual Studio
- Deploying the Client for Microsoft Exchange Server 2007 : Planning Considerations and Best Practices, Preparing the Deployment
- Deploying the Client for Microsoft Exchange Server 2007 : Outlook 2007 Auto Account Setup, Understanding Deployment Options
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 6) - Package Distribution Process Flow
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 5) - Creating a Package from a Definition File
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 4) - Creating a Package from Scratch - Creating Programs
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 3) - Creating a Package from Scratch - Defining Distribution Points
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 2) - Creating a Package from Scratch - Defining Access Accounts
- Microsoft Systems Management Server 2003 : Creating Packages for Distribution (part 1) - Creating a Package from Scratch
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
Top 10
- Microsoft Excel : How to Use the VLookUp Function
- Fix and Tweak Graphics and Video (part 3) : How to Fix : My Screen Is Sluggish - Adjust Hardware Acceleration
- Fix and Tweak Graphics and Video (part 2) : How to Fix : Text on My Screen Is Too Small
- Fix and Tweak Graphics and Video (part 1) : How to Fix : Adjust the Resolution
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro