Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The service owners create the service delegation model according to the following criteria:
Objective: Create a delegation model to distribute service management among service administrators by enabling efficient, security-conscious delegation and distribution of administrative responsibilities among various administrative groups.
Stakeholders: Service owners.
Approach: Identify the number of instances of each service management role that are needed and the administrative personnel who are assigned to each role.
For the service administrative delegation model, Contoso requires the following management roles:
Forest Configuration Operators
Domain Configuration Operators
Schema Admins
Replication Management Admins
Replication Monitoring Operators
DNS Admins
Security Policy Administrators
Service Admin Managers
Domain Controller Admins
Backup Operators
Contoso uses the information in Table 14 as a template for assigning each role.
| Template Fields | Phase During Which to Complete Assignment |
|---|---|
Role Instance Name |
Creation |
Instance of |
Creation |
Instance Number |
Creation |
Assigned Administrators |
Creation |
Assigned Tasks |
Creation |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Fields for each role are filled in by using the role template.
The service owner follows the recommendation for creating only one instance of this role.
Table 15 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Forest Config Ops |
Instance of |
Forest Configuration Operators Role |
Instance Number |
1 of 1 |
Assigned Administrators |
Joe, Sally, Kevin |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
The service owner follows the recommendation for creating only one instance of this role per domain. Because there are three domains, three instances are defined.
Table 16 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Root Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
1 of 3 |
Assigned Administrators |
Michael, Sally, Gordon |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
NOAM Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
2 of 3 |
Assigned Administrators |
John, Sandra |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
EUROPE Dom Config Ops |
Instance of |
Domain Configuration Operators Role |
Instance Number |
3 of 3 |
Assigned Administrators |
Christoph, Anna |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in London |
The service owner follows the recommendation for creating only one instance of this role.
Table 17 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Schema Admins |
Instance of |
Schema Admins Role |
Instance Number |
1 of 1 |
Assigned Administrators |
Joe (also assigned to Forest Config Ops role) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago Only group authorized to perform schema modifications |
The service owner follows the recommendation for creating only one instance of this role.
Table 18 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Repl Mgmt Admins |
Instance of |
Replication Management Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Sally (also assigned to Forest Config Ops role) Kevin (also assigned to Forest Config Ops role) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
The service owner follows the recommendation for creating only one instance of this role.
Table 19 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Repl Monitoring Ops |
Instance of |
Replication Monitoring Operators |
Instance Number |
1 of 1 |
Assigned Administrators |
Tom, Russ |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
The service owner follows the recommendation for creating one instance of this role for the entire forest and one instance for each domain.
Table 20 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Forest DNS Admins |
Instance of |
DNS Admins |
Instance Number |
1 of 4 |
Assigned Administrators |
Mark (also assigned to Service Admin Managers, Security Policy Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso DNS Admins |
Instance of |
DNS Admins |
Instance Number |
2 of 4 |
Assigned Administrators |
Andrew |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
NOAM DNS Admins |
Instance of |
DNS Admins |
Instance Number |
3 of 4 |
Assigned Administrators |
Jay |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
EUROPE DNS Admins |
Instance of |
DNS Admins |
Instance Number |
4 of 4 |
Assigned Administrators |
Laurie, Samuel |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
The service owner follows the recommendation for creating one instance of this role.
Table 21 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Sec Pol Admins |
Instance of |
Security Policy Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Mark (also assigned to Service Admin Managers, DNS Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
The service owner follows the recommendation for creating one instance of this role.
Table 22 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Srvc Admin Managers |
Instance of |
Service Admin Managers |
Instance Number |
1 of 1 |
Assigned Administrators |
Lisa Mark (also assigned to Security Policy Admins, DNS Admins) |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Contoso implements two instances of the Domain Controller Admins role. One instance is based in Chicago and is responsible for managing all domain controllers that are located in Chicago and for remotely managing all domain controllers that are located in the other two sites in North America. Similarly, one instance of the Domain Controller Admins role is based in London and is responsible for managing all domain controllers in the London site and for remotely managing all domain controllers that are located in the other two sites in Europe.
Contoso has implemented RILOs in remote sites so that all aspects of their domain controllers can be managed remotely from the hub site. The only operation that cannot be performed on RILO-based systems is physically starting and shutting down the domain controllers in a remote location. For this administrative operation, one local administrative group is assigned the responsibility for shutting down and starting domain controllers when needed.
Table 23 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Root and NOAM DC Admins |
Instance of |
Domain Controller Admins |
Instance Number |
1 of 2 |
Assigned Administrators |
Paul, Andy |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
Europe DC Admins |
Instance of |
Domain Controller Admins |
Instance Number |
2 of 2 |
Assigned Administrators |
James, Jessica |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in London |
According to the recommendations for this role, there should be one instance for each domain. Although there are three instances of this role in the model, the service owner decides to assign the same group of administrators to each of the three instances. The administrators in this group are all located in Chicago. This one group is responsible for backing up Active Directory for all three domains. Table 24 shows the model creation entries in the template for this role.
| Field | Assignment Information |
|---|---|
Role Instance Name |
Contoso Root Backup Operators |
Instance of |
Backup Operators |
Instance Number |
1 of 3 |
Assigned Administrators |
Maria |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
NOAM Backup Operators |
Instance of |
Backup Operators |
Instance Number |
2 of 3 |
Assigned Administrators |
Kris |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
| Field | Assignment Information |
|---|---|
Role Instance Name |
Europe Backup Operators |
Instance of |
Backup Operators |
Instance Number |
3 of 3 |
Assigned Administrators |
Brian |
Assigned Tasks |
|
Security Group |
|
Permissions Assigned |
|
Notes |
Based in Chicago |
Table 25 provides a summary of the roles and instances that have been assigned for service management.
| Role | Instances | Comments |
|---|---|---|
Forest Configuration Operators |
1 |
One role per forest |
Domain Configuration Operators |
3 |
One role per domain |
Schema Admins |
1 |
One role per forest |
Replication Management Admins |
1 |
One role per forest |
Replication Monitoring Operators |
1 |
One role per forest |
DNS Admins |
4 |
One forest-wide role and one role per domain |
Security Policy Administrators |
1 |
One role per forest |
Service Admin Managers |
1 |
One role per forest |
Domain Controller Admins |
2 |
One role per continent (North America and Europe) |
Backup Operators |
3 |
One role per domain |
Now that the creation phase is complete, Contoso has a delegation model that documents the division of responsibility for service management of the Active Directory infrastructure. In the next step, the Enterprise Admins group will implement the Active Directory directory service management model.