‘CatNet offers two membership options for interested colleges or departments; delegated organizational units or child domains.  There are policies in place to govern both options and college or department IT administrators are required to agree to abide by the published ‘CatNet policies before membership of either type is granted.

By accepting membership requests the UITS Windows Enterprise Administrators Team agrees to abide by the following policies as they apply to the forest as a whole and each organizational unit and/or child domain.

• Enterprise admins are responsible for maintaining the forest infrastructure.  They monitor, troubleshoot and repair the forest domain controllers and enterprise level member servers and enforce enterprise level policies. 

• Enterprise admins are responsible for responding to any domain controller or Active directory issues in a timely manner. 

• Enterprise admins may assist with Active Directory Migration, group policy implementation or other active directory tasks only at the request of an OU or child domain administrator. 

• Enterprise admins are responsible for communicating any enterprise level changes that directly impact the OU or child domain administrators (whether positively or negatively) to the OU and Child Domain Administrators group(s). 

• Enterprise admins will not make any changes to any objects within a delegated OU or child domain unless asked to do so by the OU or child domain administrator or unless the object(s) are in violation of the ‘CatNet Active Directory policies.

Delegated Organization Units are the preferred form of membership in ‘CatNet.  A department delegated OU can be obtained by submitting a request to the UITS Windows Enterprise Administrators team.  In order for UITS to process a request for an OU the requesting department must provide the names and contact information for at least two OU administrators and a summary of the Active Directory objects they intend to migrate into the OU, if any.  The following roles will be applied for departments or colleges joining ‘CatNet as an OU.

OU Admin Role

OU administrators are responsible for any and all objects they create within the Active Directory.  This responsibility includes, but may not be limited to, adding and removing users from groups within their delegated OU, controlling access to any resources they make available in the active directory and adhering to the naming conventions defined by UITS.  If any issues arise that require the attention of the UITS Enterprise administrators (Domain Controller or AD issues), the OU administrators are responsible for reporting those issues in a timely manner.   The following privileges and restrictions have been placed on OU administrative accounts.

A delegated OU admin can perform the following actions:

• Create computer objects for member servers and client machines

• Create printer and share resource objects

• Create groups for managing users and computers

• Create child OUs for security and management use

• Apply group policy objects for security and management

• Access the user pool in the NetID OU to manage access to resources.

A delegated OU admin cannot perform any of the following actions:

• Manually create user accounts within the Active Directory (with the exception of service accounts)

• Create child domains

• Create, delete or alter objects in OUs other than their own

• Change user passwords other than their own (manually via the UITS hosted web interface)

• Change user attributes automatically populated into the active directory (phone number, email address, etc.)

Regular audits are performed on the forest and failure to comply with the above stated policies results in a remediation /re-evaluation period.  If the compliance issues are not corrected in a timely manner the OU delegation will be removed and all objects contained in the OU will be disabled.

If a department or school has a valid reason for joining ‘CatNet as a child domain rather than an OU the department’s or school’s IT administrators should submit a Child Domain Application to the UITS Windows Enterprise Administrators Team.   The enterprise admin team will review the application and schedule a meeting with the department or school IT administrators to discuss options and expectations.  The following procedures and policies apply to all child domains in ‘CatNet.

The first thing to consider before joining the ‘CatNet forest as a child domain is the domain name.  Child domain administrators have two options; they can either select a new domain name with which to join the forest, or use Microsoft’s Domain rename tool to rename their existing domain thus freeing up the current domain name for use in the forest.  Because a domain rename involves all domains in the forest and affects all computer accounts, from domain controllers to workstations, a domain rename procedure will not be performed for any child domains within the forest.  Once the question of names is resolved the following steps will be taken:

• UITS will establish the child domain with a single temporary virtual domain controller.

• UITS will work with the Child Domain administrators to establish a trust between the new child domain and the existing external domain.

• The child domain administrators will create a domain account in their existing domain for migration purposes and UITS will assign the appropriate rights for the migration user account in the child domain.

• The child domain administrators will use Microsoft’s Active Directory Migration tool to migrate existing service accounts, computer accounts and security groups.  Existing domain administrator accounts may be migrated to the new child domain, but no other user accounts may be migrated.  All security groups will be populated with the etID accounts from the NetID OU.  UITS will assist with the migration process as necessary or as requested.

• Child domains must have at least two full time, online peer (backup) domain controllers

• DCs must meet or exceed Microsoft’s minimum computer hardware requirements

• No third party or MS add-on software is allowed on domain controllers.

• DCs must be in a backup program and have full recoverability procedures documented and successfully tested.

• DCs must allow and not attempt to block group policy replicated from the forest root

• All child domains are required to run at the highest available functional level in the forest; currently Windows Server 2003 Domain and Forest Functional Level.

• All windows systems within the child domain must follow the proscribed DNS naming scheme.

• Child domains will not attempt to create additional child domains “below” theirs (grand child domains); organizational units will be used instead.

• No non-administrative local logins are allowed to the domain controllers

• The domain controllers must be housed in a secure area with controlled access.

• At least two weeks worth of backups, event logs and audit logs must be maintained.

• Access to all backups and logs must be provided to the enterprise administrators group for security/debugging purposes.

• All systems in the child domain must remain current with Microsoft service packs and patches.

• If there is a legitimate reason why systems cannot be perfectly current with all Microsoft service packs and patches, the child domain administrators must have a documented plan for testing and applying service packs and/or monthly patches that includes a reasonable timeframe for completion.

• Failure to comply with the above stated policies results in a remediation /re-evaluation period followed by disconnection of the child domain if compliance issues are not resolved in a timely manner.