Active Directory Management
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The objective of delegating administrative authority is to allow organizations to efficiently manage their Active Directory environments and the data stored in or protected by Active Directory in accordance with good security practices. Delegation of administration makes Active Directory management easier and allows organizations to address specific administrative needs. This section discusses the areas of Active Directory management and describes the stakeholders involved.
The administrative responsibilities of managing an Active Directory environment fall into two categories:
Service management. Administrative tasks involved in providing secure and reliable delivery of the directory service.
Data management. Administrative operations involved in managing the content that is stored in or protected by the directory service.
Service management includes managing all aspects of the directory service that are essential to ensuring the uninterrupted delivery of the directory service across the enterprise. Service management includes, but is not limited to, the following administrative tasks:
Adding and removing domain controllers.
Managing and monitoring replication.
Ensuring the proper assignment and configuration of operations master roles.
Performing regular backups of the directory database.
Managing domain and domain controller security policies.
Configuring directory service parameters, such as setting the functional level of a forest or putting the directory in the special List-Object security mode.
Data management includes managing the content that is stored in Active Directory, as well as content that is protected by Active Directory. Data management tasks include, but are not limited to, managing the following Active Directory content:
User accounts, which represent the identities of people who use the network
Computer accounts, which represent the computers that are joined to domains in the Active Directory forest
Security groups, which are used to aggregate accounts for the purpose of authorizing access to resources
Application-specific attributes for Active Directory-enabled and -integrated applications, such as Microsoft Exchange and Microsoft Real-Time Communication service
In addition, Active Directory data management can also facilitate the distribution and delegation of these management tasks:
Workstation management, which includes managing all aspects of end-user workstations.
Server management, which includes managing all aspects of all servers joined to any domain in an Active Directory forest.
Resource management, which includes managing all aspects of services and applications hosted on member servers joined to any domain in an Active Directory forest, possibly including the server management aspects of the servers on which the application or resource is being hosted.
Active Directory plays a central role in a Windows-based IT infrastructure and is an inherent part of distributed security and identity management, touching almost every critical aspect of an organization’s infrastructure. Thus, management of an Active Directory environment involves multiple stakeholders, each having specific responsibilities for managing the data, service, or security aspects of Active Directory, and each requiring the ability to perform their assigned administrative responsibilities.
For example, administrative groups who are responsible for managing user identities require the ability to perform account management. Network operators who are responsible for delivering network services that are required for Active Directory to function, such as DNS, require the ability to manage DNS servers and data. Corporate security personnel might require the ability to audit logon events, and Help Desk operators might require administrative rights to perform support operations like resetting passwords for users. Administrators of Active Directory–enabled and –integrated applications require the ability to manage application-specific data stored in the directory.
From a managerial and operational perspective, Active Directory management stakeholders primarily include service and data owners and administrators. However, because Active Directory plays a central role in a Windows Server–based IT infrastructure, it is not uncommon to have other stakeholders, including owners and administrators of other parts of the IT infrastructure who own, manage, or are responsible for aspects of the IT infrastructure related to or dependent on the organization’s Active Directory environment.
Service and Data Owners
In most IT infrastructures that consist of multiple, integrated components and services, responsibility for delivering a specific component or service is typically entrusted to an owner. This owner is responsible for the overall delivery of the component or service, but does not actually perform the work. Rather, the role of the owner is managerial and strategic, and the responsibility for the day-to-day administrative tasks that are involved in managing Active Directory is assigned by the owner to one or more administrators.
Ownership of all Active Directory environments should be entrusted to two owner groups:
Service owners. Responsible for planning and long-term maintenance of the Active Directory infrastructure, ensuring that the directory service continues to function, and ensuring that goals established in service-level agreements are maintained. While the administrative responsibilities of managing the directory service can be shared among administrative groups from different business units, service ownership is typically not shared, but is held by a centralized service owner.
Data owners. Responsible for maintenance of the data that is stored in Active Directory, as well as content that is protected by Active Directory. This data includes user and computer accounts and local resources, such as member servers and workstations. Because an Active Directory environment might span multiple business units, these business units often require the ability to manage their data autonomously. It is not atypical for data ownership to be shared among multiple business units across the enterprise.
Service and data owners create an administrative model to distribute and delegate administrative responsibilities among administrators, who are responsible for performing Active Directory operations. Service owners employ service administrators to manage the directory service, and data owners employ data administrators to manage the content stored in or protected by the directory service.
Service and Data Administrators
The operation of Active Directory involves two types of administrators:
Service administrators. Responsible for performing all administrative tasks that are involved in configuring and administering an Active Directory environment. Service administrators are highly trusted users who are employed by the service owner to manage the directory service. Service administrators implement policy decisions that are made by service owners, and handle the day-to-day tasks that are associated with maintaining the directory service and infrastructure.
Data administrators. Responsible for maintaining data that is stored in Active Directory, such as user and group accounts, and application-specific data. Data administrators are employed by the data owners to manage the content that is stored in or protected by the directory service. Data administrators control subsets of objects within the directory, but have no control over the installation or configuration of the directory service.
Active Directory enables directory-integrated applications to store and modify network-centric data in the directory and it also enables network services to publish globally useful information in the directory. User identities are also stored in the directory, as are security and distribution groups. Stakeholders might have business requirements to modify or have access to data that is controlled by data owners.
For example, administrators of Active Directory-enabled applications or human resources personnel might need control over application or user data. Other users might be Active Directory management stakeholders based on the applications they administer. Usually, applications that store or modify data in Active Directory have administrators who are responsible for the management of the respective application-specific data. Additionally, users of these applications might also need to read or modify application-specific data.
Still other users might have job-related reasons for performing administrative tasks in Active Directory. For example, corporate security personnel might require the ability to carry out certain security-sensitive operations, such as auditing logon events. Help desk operators might require administrative rights to perform support operations, such as resetting passwords for users.
Thus, in addition to service and data owners and administrators, other users might be considered management stakeholders based on business needs that require them to have control of or access to data stored in or protected by Active Directory.
Service and data owners (and administrators) are collectively responsible for ensuring that all stakeholders are granted sufficient access rights that are minimally required to perform the administrative tasks that are associated with their business roles in the organization.