Recommended Approach to Data Management
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
As mentioned in Chapter 1: Delegation of Administration Overview, a structured and methodical approach towards managing an Active Directory environment can greatly enhance the security of the environment, reduce administrative costs involved in managing the environment and successfully address the administrative needs of all stakeholders, thereby making Active Directory management more tractable seamless, efficient and secure.
It is not uncommon for multiple business units to participate in a shared Active Directory environment. Each business unit, while participating in a shared Active Directory environment, can have its own domain data and IT resources. Each business unit should be assigned a data owner who should have overall responsibility for all aspects of data management for that business unit. Business unit owners appoint a small set of their most highly trusted administrators to the role of Business Unit Admins – this administrative group represents the operational arm of the data owner.
Since data owners are entrusted with overall accountability for the security-conscious, efficient, and effective management of the content stored in Active Directory and on computers joined to Active Directory, it is their responsibility to create a delegation model under which administrative responsibility for managing business unit data is distributed among and delegated to their data administrators also in an effective, efficient, and security-conscious manner.
It is important to note that this chapter provides best-practices for delegation only on a per domain basis. Thus, if your Active Directory environment has multiple domains, you should apply the best-practices and guidelines presented in this chapter for creating a delegation model to each domain in your Active Directory environment.
A structured and methodical approach towards Active Directory data management generally involves the following recommended steps:
Service owners hand-off data management of each business unit to the respective data owners of each business unit.
Business Unit data owners in turn create, implement, and maintain a delegation model for managing business unit data.
This approach offers two primary benefits. It clearly separates responsibility for service management and data management. Additionally, it grants responsibility for data management of data that belongs to a specific business unit to the business unit owners themselves. This gives them the flexibility to create, implement and maintain their data in a manner that best addresses the specific administrative needs and requirements of that business unit.
After service owners have handed off responsibility for data management to data owners, the data owners, together with their high-level administrators, should do the following:
Understand all aspects of Active Directory data management.
Understand the administrative needs of all stakeholders.
Create a delegation model that ensures that administrative coverage is provided for all aspects of Active Directory management and that the administrative needs of all stakeholders are addressed.
Implement the Active Directory data management delegation model in an efficient and security-conscious fashion, ensuring that the administrative needs of all delegated administrators and all stakeholders are addressed, while also ensuring that all administrative access has been granted on the basis of least privilege.
Maintain the implemented delegation model, which involves making modifications to the model in response to changes in administrative requirements or needs.