Creating a Service Management Delegation Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The process of creating an administrative delegation model that addresses service management needs must be guided by security and efficiency considerations. By following the recommendations that are presented in this section, you can create a documented administration model that ensures that:
Administrative coverage has been provided for all aspects of Active Directory service management.
Administrative responsibilities have been distributed among appropriate administrative groups in accordance with sound security practices.
Many service administrative tasks require permissions that allow an administrator to make potentially harmful changes to the directory service. Harmful changes might be made in error, by a malicious administrator, or by an unauthorized administrator who has usurped permissions. Avoiding errors is the reason for selecting the most highly skilled administrators to perform security-sensitive administrative tasks. Avoiding malicious changes is the reason for selecting the most highly trusted service administrators. And avoiding the ability of an unauthorized administrator to wrongfully gain permissions is the reason for incorporating security measures into the delegation model itself.
The efficiency of the administrative delegation model requires that tasks be divided among the appropriate number and level of administrators to provide an optimal workload, while also providing complete coverage. Both the efficiency and security of the administrative delegation model are served by assigning the least privileges that are required to perform each task.
Note
The information in this document applies to Active Directory infrastructures that have an existing forest and domain structure. For information about creating a forest and domain structure, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at https://go.microsoft.com/fwlink/?LinkId=4723).
Guidelines for Creating a Service Delegation Model
Creating an efficient and security-conscious model based on these roles involves the following steps:
Understand the nature of the responsibilities assigned to each Microsoft-recommended role and, if needed, customize the definition of these roles by adding or removing assigned tasks from the recommended role definitions.
Determine the number of instances of the role that are required for your environment. The number of instances of each Microsoft-recommended role is presented earlier in this document and is summarized in Table 3.
Table 3 Service Management Roles and Recommended Number of Instances
Service Management Role Recommended Number of Instances Forest Configuration Operators
One instance per forest
Domain Configuration Operators
One instance per domain
Security Policy Administrators
One instance per forest
Service Admin Managers
One instance per forest
Domain Controller Administrators
- One instance for every set of domain controllers physically located in a centrally or remotely located datacenter
- One instance for the set of all domain controllers physically located in remote locations but centrally managed via remote management solutions
- Optionally, one instance for every domain controller that is locally managed at a branch office, assuming that a remote management solution is not being used.
Backup Operators
One instance per domain
Schema Administrators
One instance per forest
Replication Management Administrators
One instance per forest
Replication Monitoring Operators
One instance per forest
DNS Administrators
One instance per forest
- One instance for every set of domain controllers physically located in a centrally or remotely located datacenter
Based on the size and specifics of your Active Directory environment, determine the number of administrators to assign to each instance of the role.
For each instance of each role, identify the specific administrators that shall be assigned to the role. Document these role assignments.
Documenting Your Service Administrative Delegation Model
After completing the process for creating the administrative delegation model, service owners should document the model and then maintain this document on an ongoing basis. When changes in service administration are required due to organizational changes or growth, the model must be changed to reflect the new requirements.
The administrative delegation model document should include the following:
A list of all roles that are being used
The number of instances of every role
A list of administrators that are assigned to each role instance
The administrative responsibilities that are assigned to each role
Later in the process, when the delegation model is implemented, update this document to include the following information:
The specific security group that is used to represent each role instance
The specific permissions granted to each security group
All audit settings that are set to monitor administrative operations
Table 4 is a template you can use to document your role instances.
Table 4 Template to Document Specific Role Instances (With Example Values)
Field | Assignment Information |
---|---|
Role Instance Name: |
Contoso Sec Pol Admins |
Instance of: |
Security Policy Admins |
Instance #: |
1 of 1 |
Assigned Administrators: |
Michael Allen |
Assigned Tasks: |
No customization – based on Microsoft-recommended role-to-task assignments. Refer to document located at: document location |
Security Group |
To be supplied during Implementation phase |
Permissions Assigned |
To be supplied during Implementation phase |
Notes |
Members in this role are based in Chicago Security Clearance requirements met for all administrators |