As an enterprise administrator, you will
plan and design the administrative model for AD DS within your
enterprise. You are unlikely to create groups, delegate control of
organizational units (OUs), or configure and link Group Policy objects
yourself, but you will design a delegation structure so that less senior
members of staff can carry out the tasks required to implement your
plans without being given more rights and permissions than they need to
do their job.
Because of the full-trust model in an Active
Directory domain tree, domain and server administrators seldom need to
configure trusts. Implementing a permission and administration model in a
multi-forest enterprise network is, therefore, likely to be a task you
do yourself, and you need to work with universal groups and forest
trusts.
Your planning should always consider the
structures already available to you by default. You should not plan a
new domain local security group, for example, when a built-in local
security group already exists that facilitates your aims. Therefore, be
aware of the security groups that are installed by default or installed
automatically when features such as read-only domain controllers (RODCs)
are implemented.
You are unlikely to create OUs and Group Policy
objects (GPOs) personally, but you need to plan which OUs and GPOs are
created and how they are linked. You need to delegate group and OU
management. You will not typically audit ordinary users personally, but
you do need to audit the high-level activities of your administrative
team.
Designing and planning an Active Directory
administrative model in the enterprise is a complex task. This lesson
discusses the aspects of this task.
|
Ian McLean
One of the most difficult things a manager needs
to learn is how to delegate. As an enterprise administrator, that’s what
you are—a manager. You’re a manager with a high level of technical
knowledge, but still a manager, and that’s where many excellent server
and network administrators fall down. You might be a first-class coder
who can produce Microsoft Windows PowerShell and batch files without
even thinking about it. You might be a troubleshooting wizard who can
identify a network or server fault while others are still rolling up
their sleeves; your Group Policy configuration might be immaculate.
However, if you are busy changing a password for a forgetful user while
the entire enterprise goes wrong for lack of planning, you are not doing
your job.
You need to plan. You need to organize. You need
to ensure that your staff is given the appropriate training—and that
does not mean training people yourself. You need to delegate jobs to
people who (in your opinion) know how to do them. You need to ensure
that they receive advice and training if they don’t.
The main problem for most fledgling enterprise
administrators is lack of control. You need to trust your staff, and if
one of your junior administrators makes a mistake, you must take the
responsibility for a mistake that wasn’t yours. You will wear a suit and
seldom, if ever, crawl behind wiring racks. You need to accept that
your server administrators know more about their particular sections of
the network than you do.
Others will configure servers and create OUs. You
will plan the structure of your Active Directory forest or forests and
the permissions structure in your enterprise. You still need to keep up
to date technically—you can’t plan a Windows Server 2008 domain unless
you know the features Windows Server 2008 offers you—but your job is
planning, supervising, and administering.
Enjoy.
|
1. Delegating Active Directory Administration
A well-planned delegation strategy enables you to
increase security and manage resources efficiently while meeting
administrative requirements. Delegation increases administrative
efficiency, decentralizes administration, reduces administrative costs,
and improves the manageability of IT infrastructures.
Delegation is the transfer of administrative
responsibility for a specific task from a higher authority to a lower
authority. From a technical perspective, delegation of administration involves
a senior administrator granting a controlled set of permissions to a
less experienced administrator to carry out a specific administrative
task.
Typically, the administrative model in large
organizations with enterprise networks is one in which different
divisions and business units share a common IT infrastructure. This IT
infrastructure can span multiple organizational and geographic
boundaries. Such an environment generally has the following
requirements:
Organizational structure requirements
Part of an organization might participate in a shared infrastructure to
save costs but require the ability to operate independently from the
rest of the organization.
Operational requirements An organization might place unique constraints on directory service configuration, availability, or security.
Legal requirements
An organization might have legal requirements to operate in a specific
manner such as restricting access to confidential information.
Administrative requirements
Different organizations might have different administrative needs,
depending on existing and planned IT administration and support models.
Organization size
Organizations can be small, medium, or large. A complex and
sophisticated delegation structure for a small organization with a small
team of administrators is unlikely to work.
When planning a delegation strategy, you need to
have a very good grasp of your organization’s requirements. These
requirements help you plan the degree of autonomy and isolation within
the organization or within sectors of the organization. Autonomy is the
ability of the administrators of an organization to manage independently
all or part of service management (service autonomy) and all or part of
the data stored in or protected by AD DS (data autonomy).
Isolation is the ability of an administrator or
an organization to prevent other administrators from controlling or
interfering with service management (service isolation) and from
controlling or viewing a subset of data in AD DS or on member servers
and client computers that have accounts in AD DS (data isolation).
In a large organization, autonomy and isolation
need to be carefully managed. You might want to manage some services on
an enterprise-wide basis. For example, it is a valid model for even a
very large organization to have a single domain tree or even a single
domain with many sites. You might want to implement distributed file
system replication to replicate AD DS settings throughout the
enterprise, but your Australian sites want to control their own password
policy. You could use fine-grained security policies in this instance,
although this might not be practical for a large number of users, and it
requires a domain functional level of Windows Server 2008—not a good
idea if you have Microsoft Windows 2000 Server or Microsoft Windows
Server 2003 domain controllers (DCs) in a domain. Sometimes strict
service or data isolation requires creating a separate forest or a
subdomain.
Classifying Organizations
One of your first steps in planning an
organization’s delegation structure is to classify the organization.
Organizations can be classified based on their size in the following
categories:
Small organizations Typically, these have 25 to 50 workstations and three to five servers.
Medium organizations Typically, these have 50 to 500 workstations and 4 to 50 servers.
Large organizations Typically, these have at least 500 workstations and 50 servers.
Small and medium organizations typically have a
very small number of administrative groups that are responsible for
managing all aspects of AD DS. Small and medium organizations might not
need to create an extensive delegation model. Large organizations
generally must distribute and delegate administrative authority to
various administrative groups, possibly delegating certain aspects of
Active Directory management to centralized teams and delegating other
aspects to decentralized teams. Although large organizations will find
the delegation capabilities of AD DS most useful, small and medium
organizations can often achieve enhanced security, increased control,
more accountability, and reduced costs by implementing a degree of
delegation.
Delegation Benefits and Principles
By efficiently delegating administrative
responsibilities among various administrative groups, you can address
the specific requirements of administrative autonomy and successfully
manage an AD DS environment. Delegation of administration provides the
following benefits:
Each administrative group has a defined and documented scope of authority and set of responsibilities.
Administrative authority is decentralized.
The delegation of administrative responsibility addresses the security concerns of the organization.
When you are planning the delegation of administration, adhere to the following principles:
Distribute administrative responsibilities on the basis of least privilege
This ensures that the individual or group of individuals to whom the
task has been delegated can perform only the tasks that are delegated
and cannot perform tasks that have not been explicitly delegated or
authorized.
Increase administrative efficiency Many
of the responsibilities for managing Active Directory content can be
assigned to the directory service itself. This automates management and
increases efficiency.
Reduce administrative costs
You can do this by facilitating shared administrative responsibility.
For example, you could allocate administrative responsibility for
providing account support to all accounts in the organization to a
specific group. You need to ensure, however, that the organization’s
autonomy requirements are met.
Managing Active Directory Through Delegation
The primary reason for delegating administrative
authority is to allow organizations to manage their Active Directory
environments and the data stored in AD DS efficiently. Delegation of
administration makes Active Directory management easier and enables
organizations to address specific administrative needs.
The administrative responsibilities of managing an Active Directory environment fall into two categories:
Service management Administrative tasks involved in providing secure and reliable delivery of the directory service
Data management Administrative operations involved in managing the content stored in or protected by the directory service
Service Management
Service management includes managing all
aspects of the directory service that are essential to ensuring the
uninterrupted delivery of the directory service across the enterprise.
Service management includes the following administrative tasks:
Adding and removing DCs
Managing and monitoring replication
Ensuring the proper assignment and configuration of operations master roles
Performing regular backups of the directory database
Managing domain and DC security policies
Configuring
directory service parameters such as setting the functional level of a
forest or putting the directory in the special List-Object security mode
Data Management
Data management includes managing the content
stored in AD DS as well as content protected by Active Directory. Data
management tasks include the following:
You delegate Active Directory administrative
functions such as service and data management in response to the
geographical, business, and technical infrastructure of an enterprise. A
well-implemented delegation model provides coverage for all aspects of
Active Directory management, meets autonomy and isolation requirements,
efficiently distributes administrative responsibilities (with a limited
subset of tasks delegated to nonadministrators), and delegates
administrative responsibilities in a security-conscious manner.
Defining the Administrative Model
To manage an enterprise environment effectively,
you need to define how tasks will be assigned and managed. Your plan
for delegating responsibility for the network defines the enterprise’s
administrative model. Microsoft identifies the following three types of
administrative models that you can use to allocate the management of the
enterprise network logically between individual administrators or
departments within the enterprise’s IT function:
Centralized
Distributed
Mixed
If no administrative model exists, the
environment is managed chaotically, and most administrative tasks are
typically handling emergencies. In this case, tasks such as server
updates and modifications are frequently performed on the spot without
proper testing. When administrative and maintenance tasks are not
performed in a consistent manner, securing the environment and auditing
administrative events are exceptionally difficult. Environments that do
not follow an administrative model are administered reactively rather
than proactively.
To identify the correct administrative model,
determine which services are needed in each location in the enterprise
and where the administrators with the skills to manage these services
are located. Placing administrators in branch offices that require very
little IT administration is usually a waste of money (which is one of
the major reasons that Windows Server 2008 introduced RODCs).
Centralized Administration Model
In the centralized administration model,
IT-related administration is controlled by one group, typically located
at the head office or possibly at the enterprise’s research facility. In
this model, all critical servers are housed in one location (or a very
few locations), which facilitates central backup and an appropriate IT
staff member being available when a problem occurs.
For example, if an organization locates
mission-critical servers (such as Microsoft Exchange Server 2007
messaging servers) at each site, a qualified staff member might not be
available at a remote site if a server needs to be recovered from
backup, and remote administration (if possible) would
be required. In the centralized administration model, all the servers
running Exchange Server 2007 and the appropriate administrator would be
located in a central office, enabling recovery and administration to be
handled as efficiently and effectively as possible.
The centralized administration model is
typically used in organizations that have one large central office with a
few branch offices and typically a single Active Directory domain.
Delegation is by function rather than by geographical location, and most
tasks are allocated to IT staff, although some can be delegated to
nonadministrators. For example, the head of the Accounting department
could be delegated the task of resetting passwords for all the users in
the Accounting OU (but have no rights in the rest of the organization).
The Distributed Administration Model
In the distributed administration model, tasks
are delegated to IT and non-IT staff members in various locations. The
rights to perform administrative tasks can be granted based on
geography, department, or job function. Also, administrative control can
be granted for a specific network service such as DNS or a Dynamic Host
Configuration Protocol (DHCP) server. This enables separation of server
and workstation administration without giving nonadministrators the
rights to modify network settings or security. A sound, well-planned
delegation structure is essential in the distributed administration
model.
Exam Tip
Note that the exam does not include direct
references to Dynamic DNS. It will, however, refer to dynamic updates as
well as to Active Directory–integrated DNS zones. Any time a DNS server
is updated automatically through authorized clients, it is a DDNS
server. Keep this in mind when taking the exam.
Windows Server 2008 enables granular
administrative rights and permissions, giving enterprise administrators
more flexibility when assigning tasks to staff members. Distributed
administration based only on geographical proximity is commonly found
among enterprises that use the distributed administration model. If a
server, workstation, or network device needs attention on a site whose
size justifies having its own administrator or administrative team, the
administrative rights to carry out the required tasks should be
delegated to local administrators.
The distributed administration model is
commonly used in enterprises that have a number of large, geographically
distributed locations—for example, a multinational organization. Such
organizations typically have several domains or even several forests.
Although rights are delegated to both administrative and
nonadministrative staff on a regional basis, a group of enterprise
administrators can typically perform high-level administrative tasks
across domains and across forests.
Mixed Administration Model
The mixed administration model uses
both centralized and distributed administration. For example, you could
define all security policies and standard server configurations from a
central site but delegate the implementation and management of key
servers by physical location. Administrators can configure servers in
their own location but cannot configure servers in other locations. You
can distribute the rights to manage only local user accounts to local
administrators and restricted rights over specific OUs to
nonadministrative staff. As with the distributed administrative model,
an enterprise administrators group would have rights in all locations.
This model is used in medium-sized organizations with a few fairly large
sites that are geographically separated but in which the main office
wants to keep control of certain aspects of the operation.
