Export (0) Print
Expand All

Creating a Service Management Delegation Model

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The process of creating an administrative delegation model that addresses service management needs must be guided by security and efficiency considerations. By following the recommendations that are presented in this section, you can create a documented administration model that ensures that:

  • Administrative coverage has been provided for all aspects of Active Directory service management.

  • Administrative responsibilities have been distributed among appropriate administrative groups in accordance with sound security practices.

Many service administrative tasks require permissions that allow an administrator to make potentially harmful changes to the directory service. Harmful changes might be made in error, by a malicious administrator, or by an unauthorized administrator who has usurped permissions. Avoiding errors is the reason for selecting the most highly skilled administrators to perform security-sensitive administrative tasks. Avoiding malicious changes is the reason for selecting the most highly trusted service administrators. And avoiding the ability of an unauthorized administrator to wrongfully gain permissions is the reason for incorporating security measures into the delegation model itself.

The efficiency of the administrative delegation model requires that tasks be divided among the appropriate number and level of administrators to provide an optimal workload, while also providing complete coverage. Both the efficiency and security of the administrative delegation model are served by assigning the least privileges that are required to perform each task.

noteNote
The information in this document applies to Active Directory infrastructures that have an existing forest and domain structure. For information about creating a forest and domain structure, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at http://go.microsoft.com/fwlink/?LinkId=4723).

Guidelines for Creating a Service Delegation Model

Creating an efficient and security-conscious model based on these roles involves the following steps:

  1. Understand the nature of the responsibilities assigned to each Microsoft-recommended role and, if needed, customize the definition of these roles by adding or removing assigned tasks from the recommended role definitions.

  2. Determine the number of instances of the role that are required for your environment. The number of instances of each Microsoft-recommended role is presented earlier in this document and is summarized in Table 3.

    Table 3 Service Management Roles and Recommended Number of Instances

    Service Management Role Recommended Number of Instances

    Forest Configuration Operators

    One instance per forest

    Domain Configuration Operators

    One instance per domain

    Security Policy Administrators

    One instance per forest

    Service Admin Managers

    One instance per forest

    Domain Controller Administrators

    1. One instance for every set of domain controllers physically located in a centrally or remotely located datacenter

    2. One instance for the set of all domain controllers physically located in remote locations but centrally managed via remote management solutions

    3. Optionally, one instance for every domain controller that is locally managed at a branch office, assuming that a remote management solution is not being used.

    Backup Operators

    One instance per domain

    Schema Administrators

    One instance per forest

    Replication Management Administrators

    One instance per forest

    Replication Monitoring Operators

    One instance per forest

    DNS Administrators

    One instance per forest

  3. Based on the size and specifics of your Active Directory environment, determine the number of administrators to assign to each instance of the role.

  4. For each instance of each role, identify the specific administrators that shall be assigned to the role. Document these role assignments.

Documenting Your Service Administrative Delegation Model

After completing the process for creating the administrative delegation model, service owners should document the model and then maintain this document on an ongoing basis. When changes in service administration are required due to organizational changes or growth, the model must be changed to reflect the new requirements.

The administrative delegation model document should include the following:

  • A list of all roles that are being used

  • The number of instances of every role

  • A list of administrators that are assigned to each role instance

  • The administrative responsibilities that are assigned to each role

Later in the process, when the delegation model is implemented, update this document to include the following information:

  • The specific security group that is used to represent each role instance

  • The specific permissions granted to each security group

  • All audit settings that are set to monitor administrative operations

Table 4 is a template you can use to document your role instances.

Table 4 Template to Document Specific Role Instances (With Example Values)

Field Assignment Information

Role Instance Name:

Contoso Sec Pol Admins

Instance of:

Security Policy Admins

Instance #:

1 of 1

Assigned Administrators:

Michael Allen

Assigned Tasks:

No customization – based on Microsoft-recommended role-to-task assignments.

Refer to document located at: document location

Security Group

To be supplied during Implementation phase

Permissions Assigned

To be supplied during Implementation phase

Notes

Members in this role are based in Chicago

Security Clearance requirements met for all administrators

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft