Step 1 — Create the Contoso Service Management Administrative Delegation Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The service owners create the service delegation model according to the following criteria:
Objective: Create a delegation model to distribute service management among service administrators by enabling efficient, security-conscious delegation and distribution of administrative responsibilities among various administrative groups.
Stakeholders: Service owners.
Approach: Identify the number of instances of each service management role that are needed and the administrative personnel who are assigned to each role.
Service Management Roles
For the service administrative delegation model, Contoso requires the following management roles:
Forest Configuration Operators
Domain Configuration Operators
Schema Admins
Replication Management Admins
Replication Monitoring Operators
DNS Admins
Security Policy Administrators
Service Admin Managers
Domain Controller Admins
Backup Operators
Template for Creating the Delegation Model
Contoso uses the information in Table 14 as a template for assigning each role.
Table 14 Role Assignment Template
Template Fields | Phase During Which to Complete Assignment |
---|---|
Role Instance Name |
Creation |
Instance of |
Creation |
Instance Number |
Creation |
Assigned Administrators |
Creation |
Assigned Tasks |
Creation |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Assigning the Roles During Role Creation
Fields for each role are filled in by using the role template.
Assigning Forest Configuration Operators
The service owner follows the recommendation for creating only one instance of this role.
Table 15 shows the model creation entries in the template for this role.
Table 15 Model Creation Template for Forest Configuration Operators Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Forest Config Ops |
Instance of |
Forest Configuration Operators Role |
Instance Number |
1 of 1 |
Assigned Administrators |
Joe, Sally, Kevin |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning Domain Configuration Operators
The service owner follows the recommendation for creating only one instance of this role per domain. Because there are three domains, three instances are defined.
Table 16 shows the model creation entries in the template for this role.
Table 16 Model Creation Template for Domain Configuration Operators Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Root Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
1 of 3 |
Assigned Administrators |
Michael, Sally, Gordon |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
NOAM Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
2 of 3 |
Assigned Administrators |
John, Sandra |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
EUROPE Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
3 of 3 |
Assigned Administrators |
Christoph, Anna |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in London |
Assigning Schema Admins
The service owner follows the recommendation for creating only one instance of this role.
Table 17 shows the model creation entries in the template for this role.
Table 17 Model creation template for Schema Admins role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Schema Admins |
Instance of |
Schema Admins Role |
Instance Number |
1 of 1 |
Assigned Administrators |
Joe (also assigned to Forest Config Ops role) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago Only group authorized to perform schema modifications |
Assigning Replication Management Admins
The service owner follows the recommendation for creating only one instance of this role.
Table 18 shows the model creation entries in the template for this role.
Table 18 Model Creation Template for Replication Management Admins Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Repl Mgmt Admins |
Instance of |
Replication Management Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Sally (also assigned to Forest Config Ops role) Kevin (also assigned to Forest Config Ops role) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning Replication Monitoring Operators
The service owner follows the recommendation for creating only one instance of this role.
Table 19 shows the model creation entries in the template for this role.
Table 19 Model Creation Template for Replication Monitoring Operators Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Repl Monitoring Ops |
Instance of |
Replication Monitoring Operators |
Instance Number |
1 of 1 |
Assigned Administrators |
Tom, Russ |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning DNS Admins
The service owner follows the recommendation for creating one instance of this role for the entire forest and one instance for each domain.
Table 20 shows the model creation entries in the template for this role.
Table 20 Model Creation Template for DNS Admins Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Forest DNS Admins |
Instance of |
DNS Admins |
Instance Number |
1 of 4 |
Assigned Administrators |
Mark (also assigned to Service Admin Managers, Security Policy Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso DNS Admins |
Instance of |
DNS Admins |
Instance Number |
2 of 4 |
Assigned Administrators |
Andrew |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
NOAM DNS Admins |
Instance of |
DNS Admins |
Instance Number |
3 of 4 |
Assigned Administrators |
Jay |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
EUROPE DNS Admins |
Instance of |
DNS Admins |
Instance Number |
4 of 4 |
Assigned Administrators |
Laurie, Samuel |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning Security Policy Administrators
The service owner follows the recommendation for creating one instance of this role.
Table 21 shows the model creation entries in the template for this role.
Table 21 Model creation template for Security Policy Administrators Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Sec Pol Admins |
Instance of |
Security Policy Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Mark (also assigned to Service Admin Managers, DNS Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning Service Admin Managers
The service owner follows the recommendation for creating one instance of this role.
Table 22 shows the model creation entries in the template for this role.
Table 22 Model Creation Template for Service Admin Managers Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Srvc Admin Managers |
Instance of |
Service Admin Managers |
Instance Number |
1 of 1 |
Assigned Administrators |
Lisa Mark (also assigned to Security Policy Admins, DNS Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Assigning Domain Controller Admins
Contoso implements two instances of the Domain Controller Admins role. One instance is based in Chicago and is responsible for managing all domain controllers that are located in Chicago and for remotely managing all domain controllers that are located in the other two sites in North America. Similarly, one instance of the Domain Controller Admins role is based in London and is responsible for managing all domain controllers in the London site and for remotely managing all domain controllers that are located in the other two sites in Europe.
Contoso has implemented RILOs in remote sites so that all aspects of their domain controllers can be managed remotely from the hub site. The only operation that cannot be performed on RILO-based systems is physically starting and shutting down the domain controllers in a remote location. For this administrative operation, one local administrative group is assigned the responsibility for shutting down and starting domain controllers when needed.
Table 23 shows the model creation entries in the template for this role.
Table 23 Model Creation Template for Domain Controller Admins Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Root and NOAM DC Admins |
Instance of |
Domain Controller Admins |
Instance Number |
1 of 2 |
Assigned Administrators |
Paul, Andy |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
Europe DC Admins |
Instance of |
Domain Controller Admins |
Instance Number |
2 of 2 |
Assigned Administrators |
James, Jessica |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in London |
Assigning Backup Operators
According to the recommendations for this role, there should be one instance for each domain. Although there are three instances of this role in the model, the service owner decides to assign the same group of administrators to each of the three instances. The administrators in this group are all located in Chicago. This one group is responsible for backing up Active Directory for all three domains. Table 24 shows the model creation entries in the template for this role.
Table 24 Model Creation Template for Backup Operators Role
Field | Assignment Information |
---|---|
Role Instance Name |
Contoso Root Backup Operators |
Instance of |
Backup Operators |
Instance Number |
1 of 3 |
Assigned Administrators |
Maria |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
NOAM Backup Operators |
Instance of |
Backup Operators |
Instance Number |
2 of 3 |
Assigned Administrators |
Kris |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Field | Assignment Information |
---|---|
Role Instance Name |
Europe Backup Operators |
Instance of |
Backup Operators |
Instance Number |
3 of 3 |
Assigned Administrators |
Brian |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Service Role Assignment Summary
Table 25 provides a summary of the roles and instances that have been assigned for service management.
Table 25 Summary of Assigned Contoso Service Management Roles
Role | Instances | Comments |
---|---|---|
Forest Configuration Operators |
1 |
One role per forest |
Domain Configuration Operators |
3 |
One role per domain |
Schema Admins |
1 |
One role per forest |
Replication Management Admins |
1 |
One role per forest |
Replication Monitoring Operators |
1 |
One role per forest |
DNS Admins |
4 |
One forest-wide role and one role per domain |
Security Policy Administrators |
1 |
One role per forest |
Service Admin Managers |
1 |
One role per forest |
Domain Controller Admins |
2 |
One role per continent (North America and Europe) |
Backup Operators |
3 |
One role per domain |
Now that the creation phase is complete, Contoso has a delegation model that documents the division of responsibility for service management of the Active Directory infrastructure. In the next step, the Enterprise Admins group will implement the Active Directory directory service management model.