OIT LAN Active Directory Service Support
OIT is now able to provide support for Microsoft Active Directory Services on campus. OIT LAN Support in conjunction with OIT Network Services has provided a solution for implementing ADS services on campus.
Any department can become part of the ADS tree. When added to the tree the department will maintain full control over their container and any branches off of their container. They will also have the ability to grant other department's rights to objects within their container. There will be no charge for membership in the tree nor will there be a charge for being added to the tree.
In order to add a server into the tree the department needs to understand and agree to the following:
- All usernames except those grandfathered in from NT4 domain imports must match their OIT NetID.
- OIT LAN support will have administrative control over the entire tree including every department's container.
- Departments will be allowed to use AD security to isolate themselves from parent and child containers. Departments may not block OIT LAN Support system policies or administrative access. Departments also will not be able to modify the ADS schema without working with OIT in order to maintain stability of the domain for all departments and users.
- In order to maintain the security and integrity of the tree any Domain Controller added to the forest will be maintained by OIT in two secure locations. Currently every domain is supported by two HP Proliant DL class servers. Each has a RAID5 disk array and redundant fans and power supplies. Both locations have UPS power backup and generator power backup. All servers maintained by departments will be member servers. OIT places no restrictions on what hardware departments run their servers on, however we do recommend that servers be run on hardware that is designed to be a server such as HP Proliants and Dell PowerEdges.
- A department that previously had its own domain will become part of a larger domain based on their location in the campus organizational hierarchy. Existing domains will be required to audit their user database before addition to the tree. Departments should be aware that their domain will most likely become a container in a larger domain. Some work on servers to migrate to the new domain name can be done by LAN Support free of charge if necessary.
- Departments will be responsible for removing all inactive accounts. Departments will also be responsible for making sure users are using passwords that are at least 6 characters with letters and numbers. After 11/26/2007 all acounts with password changes and newly created accounts will conform with the Microsoft complex password rules*. OIT recommends using strong encryption whenever possible.
The ADS forest root server containing the global catalog is a highly fault tolerant server located in the OIT machine room. The global catalog is also distributed across 3 of the other DC's for redundancy. The ADS forest is a delegated subdomain of the UMASS DNS hierarchy. OIT has designed the Active Directory forest after the campus orginizational chart. Currently there are domains created for every major organizational unit on campus. In the case of the Provost/Academic Affairs the Research and University Outreach groups were split into their own domain to keep the size of the domain down. The OIT Classroom operations also act as their own domain do to the incredibly large number of accounts used for that operation.
While the usage of the OIT ADS service is not mandatory, the creation of your own forest and domain can cause a great deal of difficulties. Any forest or domain that is created without being integrated into DNS will not be able to properly communicate with any other forest or domain. It is likely that group policy, Exchange services and out of building access will all have some degree of degraded service or will fail to work at all. This will affect cross department communication as well as future connections to the on-campus SIS system. Once a site has decided to create their own non-DNS integrated Active Directory service there will be no way to cleanly migrate those accounts into the OIT DNS integrated ADS service. OIT highly recommends against the creation of a standalone ADS forest and domain.
* Please not Active Directory rules are slightly stricter than the OIT rules
- This setting enables Windows Server 2003 to verify that new passwords meet complexity requirements. The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:
- Is not based on the user’s account name.
- Contains at least six characters.
- Contains characters from three of the following four categories:
- Uppercase alphabet characters (A–Z)
- Lowercase alphabet characters (a–z)
- Arabic numerals (0–9)
- Nonalphanumeric characters (for example, !$#,%)