Understanding Data Management
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following section provides an overview of all data management categories and is aimed at helping you gain a better understanding of all aspects of Active Directory data management. This section also presents Microsoft-recommended roles that should be sufficient for providing administrative coverage for all aspects of Active Directory data management, taking into account the administrative needs of the service owners and administrators, who are the main stakeholders in Active Directory data management.
Data Management Categories
Data management involves managing all aspects of the data stored in or protected by Active Directory. This content includes domain data, which primarily consists of accounts for users and computers, security groups, and application-specific data. As mentioned earlier in this chapter, data management includes account management, security-group management, resource management and application-specific data management.
Account management entails managing all aspects of user accounts – from creating new accounts to maintaining them and providing account support to disabling and finally deleting accounts that are no longer needed. For example, when a user joins a business unit, either a new account must be created or an existing account must be moved from an existing business unit. During its existence, the account requires maintenance and support. Account support includes administrative operations like resetting passwords and unlocking user accounts. At some point, the user leaves the business unit and the account must be discontinued: Account management includes the administrative tasks for disabling and finally deleting user accounts.
Security Group Management
A security group is a collection of security principals. Security-groups enable aggregation of a set of users for the purpose of authorization. Security group management typically includes such administrative tasks as creating security groups, provisioning security groups to grant access to various resources, managing the membership of security groups, and discontinuing security groups.
Security groups typically have two main uses:
Accounts Groups – Security groups can serve as resource groups that are used to grant access to resources.
Resource Groups – Security groups can also serve to aggregate security principals to collectively authorize access to resources, which is usually achieved by making an account group a member of a resource group.
Security groups play a major role in implementing an organization’s IT authorization strategy, and thus security group management should not be taken lightly.
An organization’s IT resources typically include end-user workstations, servers, and applications and resources that are running or hosted on member servers, and in some cases on end-user workstations. All of these collectively constitute an organization’s IT resources, and all require administrative coverage. Resource management thus plays an important role in managing an IT infrastructure and Active Directory plays a central role in facilitating resource management.
Resource management involves providing the means for administrators to:
Manage end-user workstations – Provide general IT support, including installation and troubleshooting.
Manage individual servers – Manage the physical computer, including monitoring, hardware maintenance, and installation.
Manage resources hosted on servers – Manage the service aspects of resources and applications (including business applications and portals) that are hosted on one or more servers.
The delegation capabilities of Active Directory can be used to meet the administrative needs of organizations of all sizes. Active Directory can facilitate the distribution and delegation of administrative responsibility for managing all aspects of an organization’s IT resources, taking into account administrative needs specific to the organization.
Workstations that are used in day-to-day operations require administrative support. Administrators or operators who are responsible for workstation management need administrative access to these workstations. The access they require is provided as a part of delegating administrative authority for data management.
In every IT organization, servers play a major role in providing essential services, from serving files to hosting databases and business applications. For example, one set of servers might collectively play the role of file servers, while another set hosts a database application such as Microsoft® SQL Server™. A set of servers might host parts of a distributed application that provides middle-tier functionality, while another set of servers might host internal Web portals for business applications. These servers and the applications and services that they host need to be managed.
As part of resource management, administrators who are responsible for managing computers need appropriate access to these servers, including the ability to monitor the health of the servers, manage event logs, modify hardware and install drivers, install service packs and hot-fixes, and perform other similar tasks.
Server Resource Management
Services and applications hosted on a collection of one or more servers also need to be managed and require administrative coverage, often by personnel different from those who manage the physical computer. Managing the service aspects of the applications that are hosted on servers includes administrative tasks such as monitoring the service, performing configuration changes to the service, and ensuring that the service continues to be delivered as specified by service level agreements. These administrators might also require the ability to authorize access to the services that are provided by these servers. For example, administrators for a Web application might require the means to authorize the set of end-users that have access to the application.
Application-Specific Data Management
Active Directory–integrated and –enabled applications, such as Microsoft Exchange Server, usually store application-specific data in Active Directory. As a part of managing their applications, administrators for these applications usually require administrative access to their application-specific data stored in Active Directory. Additionally, administrators of these applications might also require the ability to authorize the users of their applications to access and/or modify their application data. Application-specific data management involves facilitating the required access for all stakeholders of an Active Directory–integrated or –enabled application and typically involves delegating management of application-specific data to an application’s stakeholders.
Recommended Roles for Data Management
A particularly effective method for creating an efficient administrative delegation model is to use administrative roles. A model that allows IT departments to delegate administrative responsibilities on the basis of business functions and administrative scopes lets organizations focus on business processes as opposed to technology processes. Defining these functions and scopes in terms of administrative roles enables business-driven administrative control while affording the ability to securely scale administration.
A roles-based approach to delegation makes management of delegated responsibility more tractable and increases the security of Active Directory. Additionally, it allows you meet additional needs for delegation in a simple yet deterministic fashion. Thus a roles-based approach to delegating data management is highly recommended.
Microsoft has engineered a set of recommended roles for delegating data management. These role recommendations take into account the sets of logically related administrative tasks and the security sensitivity and impact of these tasks.
The following is the set of recommended roles for delegating service management:
Business Unit Admins
Security Group Admins
Depending on its specific administrative needs, an organization might choose to create and implement a delegation model based on Microsoft-recommended roles or a set of custom roles (which might or might not be based on Microsoft recommended roles) defined by the organization.
Business Unit Admins Role
It is not uncommon for multiple business units to participate in a shared Active Directory environment. Each business unit, while participating in a shared Active Directory environment, can have its own domain data and IT resources. Each business unit should be assigned a data owner who should have overall responsibility for all aspects of data management for that business unit.
Each business unit data owner should have a Business Unit Admins administrative role representing the operational arm of data owners. This role should be assigned at least one administrator and no more than a small number of administrators. This administrative group will have complete authority over all business unit data in the directory. Administrators in this role are the business unit’s highest-ranking data administrators and are responsible for implementing and maintaining the administrative delegation model for business unit data management. Business Unit Admins also work closely with data owners during the creation of the OU structure to advise about how features such as inheritance of permissions and Group Policy affect the OU structure.
Typically, organizations will choose to first create and implement their service management delegation model, following which the data management model will be implemented. As a part of this process, the service owners should hand over responsibility for Active Directory data management to data owners. During the transfer of responsibility for data management to the data owner, the service owner should create one instance of this role for every business unit. Depending on the size of the business unit, this role should be assigned to no more than a few administrators. Administrators in this role delegate responsibility for the business unit by creating an OU hierarchy and creating and populating administrative groups to manage each OU in the hierarchy.
Account Admins Role
Every business unit has user accounts that need to be created, managed, and supported. Microsoft recommends the role of Account Admins for providing administrative coverage to manage user accounts. Responsibilities for user account management include creating accounts, populating account attributes, managing and maintaining accounts, and deleting accounts. Responsibility for account support should ideally be assigned to the Help Desk Operators, thereby removing that burden from the Account Admins role.
The Business Unit administrator of each business unit is responsible for creating one or more instances of the Account Admins role to provide administrative coverage for all aspects of Account management for all business unit user accounts, depending on the OU structure and the distribution of accounts among sub-units that the business unit might contain.
Workstation Admins Role
The Workstation Admins role is recommended for managing workstations. Depending on the administrative model, a business unit can have one or more instances of this role. For example, a business unit might be spread across multiple locations and might staff each location with a local administrative group that is responsible for managing these workstations. In this case, each local group must be delegated responsibility for managing all workstations for the business unit in that location. The number of members in each role depends on the requirements for each role instance and is typically a function of the number of workstations that need to be supported by a specific role instance.
Server Operators Role
Microsoft recommends the role of Server Operators to provide administrative coverage for managing an organization’s server computers. Administrators assigned to the role are typically responsible for managing servers.
Resource Admins Role
Microsoft recommends the Resource Admins role for facilitating administrative coverage of a collection of one or more servers and the common services hosted on this set of one or more servers. Administrators who are assigned to this role are responsible for managing the resource (application, database, or files) and the set of servers on which the resource is hosted. For instance, an organization might choose to create a cluster out of a small number of physical servers, and this cluster of servers might serve as a single virtual file server. Administrators who have been granted responsibility for managing this single virtual file server will require the ability to manage each of these servers and manage the virtual file server. One instance of this role should be created for every such resource in the business unit.
In some cases, depending on the administrative model, the group of administrators who manage the servers is different from the group of administrators who manage the services that are hosted on these servers. This role can also be used to facilitate management of only the services hosted on one or more servers. Thus, the meaning and the nature of tasks assigned to specific instance of this generic role can differ from one instance to another.
Security Group Admins Role
Microsoft recommends the role of Security Group Admins for managing all security groups required to meet the authorization needs of a Business Unit. Administrators in this role are responsible for creating and managing both account and resource security groups, and delegating the ability to manage the membership of some of these groups while retaining control over group membership of other security groups, as needed.
Microsoft recommends the implementation of one instance of this role per business unit. The reason that only one instance of this role is recommended is that any individual who can create more than 1015 security groups can misuse his or her authority or be coerced into launching a denial of service attack that could impact the ability of every user in the forest to log on.
Administrators for the various IT resources will typically require resource groups for the purpose of being able to authorize access to their resources and will also typically require account groups for the purpose of being able to aggregate a set of users to whom access can be then granted. IT resource administrators should request the creation and provisioning of required account and resource groups from the administrators in the Security Group Admins role. Administrators in this role are responsible for validating requests and then creating and provisioning the requested security groups so as to enable resource administrators to be able to use the requested groups.
Application-Specific Admins Roles
Active Directory–enabled or –integrated applications might store application-specific data in different places in Active Directory, and each such application might differ in its administrative requirements for managing application data stored in the directory. For example, certain applications might extend the class definition of user objects and store their application-specific user information on those extended user objects, while other applications might create their own OUs and store application-specific data in those application-specific OUs.
In either case, owners of such applications will typically request administrative access for their administrators to be able to manage application data. Microsoft recommends the use of Application-Specific Admins role to facilitate the access required by administrators of such applications. Use a separate custom Application-Specific Admins role for every application that stores application-specific data in Active Directory and whose administrators need administrative access to this data.
In addition to the administrators of the application, you might have to provision access for the following accounts which will typically require the ability to perform operations on the application data:
Instances of the application, running in some security context (LocalSystem or a service account)
Users of the application
When creating the delegation model, the service owner for each such application makes a request to the data owner to create the role. The service owner specifies the location of the application-specific data, the accounts that require access to the data, and the scope of the access. The data owner relays this information to the Business Unit administrator, who then facilitates this access by implementing instances of this role.
Microsoft-recommended roles are intended to facilitate the creation and implementation of a well managed and efficient Active Directory data management delegation model. They are by no means the only way to address the delegation requirements of an organization.
In addition to the roles recommended by Microsoft, organizations can choose to create custom roles to address unique administrative requirements. Creating a custom role involves the following steps:
Understand and document the purpose of the new role.
Assign a set of administrative tasks to this new role.
Determine the minimal and precise set of permissions required to delegate the set of administrative tasks identified earlier in this chapter.
Document the general scope where permissions must be applied in the directory.
After making these decisions, you can determine the number of instances that are required, create the groups to represent each instance of the role, assign permissions to enable the role, and populate the groups with the appropriate administrative user accounts.