Establishing Owners and Administrators
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In an Active Directory deployment project, individuals who are owners are held accountable by management for making sure that deployment tasks are completed and that Active Directory design specifications meet the needs of the organization. Owners do not necessarily have access to or manipulate the directory infrastructure directly. Administrators are the individuals responsible for completing the required deployment tasks. Administrators have the network access and permissions necessary to manipulate the directory and its infrastructure.
The role of the owner is strategic and managerial. Owners are responsible for communicating to administrators the tasks required for the implementation of the Active Directory design, such as the creation of new domain controllers within the forest. The administrators are responsible for implementing the design on the network according to the design specifications.
In larger organizations, different individuals fill owner and administrator roles; however, in some smaller organizations, the same individual might act as both the owner and the administrator.
Service and Data Owners
Managing Active Directory on a daily basis involves two types of owners:
Service owners. Service owners are responsible for the planning and long-term maintenance of the Active Directory infrastructure, and ensuring that the directory continues to function, and that the goals established in service level agreements are maintained.
Data owners. Data owners are responsible for the maintenance of the information stored in the directory. This includes user and computer account management and management of local resources, such as member servers and workstations.
It is important to identify the Active Directory service and data owners early on so that they can participate in as much of the design process as possible. Because the service and data owners are responsible for the long-term maintenance of the directory after the deployment project is finished, it is important for these individuals to provide input as to organizational needs and to be familiar with how and why certain design decisions were made. Service owners include the forest owner, the Active Directory DNS owner, and the site topology owner. Data owners include OU owners.
Service and Data Administrators
The operation of Active Directory involves two types of administrators: service administrators and data administrators. Service administrators implement policy decisions made by service owners and handle the day-to-day tasks associated with maintaining the directory service and infrastructure. This includes managing the domain controllers that are hosting the directory service; managing other network services, such as DNS, that are required for Active Directory; controlling the configuration of forest-wide settings; and ensuring that the directory is always available.
Service administrators are also responsible for completing ongoing Active Directory deployment tasks that are required after the initial Windows Server 2003 Active Directory deployment process is complete. For example, as demands on the directory increase, service administrators create additional domain controllers, and establish or remove trusts between domains as needed. For this reason, the Active Directory deployment team needs to include service administrators.
You must be careful to assign service administrator roles only to trusted individuals in the organization. Because these individuals have the ability to modify the system files on domain controllers, they can change the behavior of Active Directory, enabling them to gain access to and modify any resource in the forest. You must ensure that the service administrators in your organization are individuals who are familiar with the operational and security policies that are in place on your network and who understand the need to enforce those policies.
Data administrators are users within a domain who are responsible for maintaining data that is stored in Active Directory, such as user and group accounts, and maintaining computers that are members of their domain. Data administrators control subsets of objects within the directory and have no control over the installation or configuration of the directory service.
Data administrator accounts are not provided by default. After the design team determines how resources are to be managed for the organization, domain owners must create data administrator accounts and delegate them the appropriate permissions based on the set of objects for which the administrators are to be responsible.
It is best to limit the number of service administrators in your organization to the minimum number required to ensure that the infrastructure continues to function. The majority of administrative work can be completed by data administrators. Service administrators require a much wider skill set because they are responsible for maintaining the directory and the infrastructure that supports it. Data administrators only require the skills necessary to manage their portion of the directory. Dividing work assignments in this way results in cost savings for the organization because only a small number of administrators need to be trained to operate and maintain the entire directory and its infrastructure.
For example, a service administrator needs to understand how to add a domain to a forest. This includes how to install the software to convert a server into a domain controller and how to manipulate the DNS environment so that the domain controller can be merged seamlessly into the Active Directory environment. A data administrator only needs to know how to manage the specific data that they are responsible for, such as the creation new user accounts for any new employees in their department.
Service and Data Owners for Active Directory
Deploying Active Directory requires coordination and communication between many different groups involved in the operation of the network infrastructure. These groups should appoint service and data owners who are responsible for representing the various groups during the design and deployment process.
Once the deployment project is complete, these service and data owners continue to be responsible for the portion of the infrastructure managed by their group. In an Active Directory environment these owners are:
The forest owner is typically a senior IT manager in the organization, who is responsible for the Active Directory deployment process and who is ultimately accountable for maintaining service delivery within the forest after the deployment is complete. The forest owner assigns individuals to fill the other ownership roles by identifying key personnel within the organization who are able to contribute necessary information about network infrastructure and administrative needs. The forest owner is responsible for:
The deployment of the forest root domain to create the forest.
The deployment of the first domain controller in each domain to create the domains required for the forest.
The memberships of the service administrator groups in all domains of the forest.
The creation of the design of the OU structure for each domain in the forest.
The delegation of administrative authority to OU owners.
Changes to the schema.
Changes to forest-wide configuration settings.
The implementation of certain Group Policies, including
Domain user account policies, such as password complexity and account lockout.
Policies that apply to domain controllers.
Any other Group Policies that are applied at the domain level.
- Domain user account policies, such as password complexity and account lockout.
The forest owner has authority over the entire forest. It is the forest owner’s responsibility to set policy and to select the individuals who are service administrators. The forest owner is a service owner.
Active Directory DNS Owner
The Active Directory DNS owner is an individual who has a thorough understanding of the existing DNS infrastructure and the existing namespace of the organization.
The Active Directory DNS owner is responsible for:
Serving as a liaison between the design team and the IT group that currently owns the DNS infrastructure.
Providing the information about the existing DNS namespace of the organization, to assist in the creation of the new Active Directory namespace.
Working with the deployment team to make sure that the new DNS infrastructure is deployed according to the specifications of the design team and that it is working properly.
Managing the Active Directory DNS infrastructure including the DNS services and DNS data.
The Active Directory DNS owner is a service owner.
Site Topology Owner
The site topology owner is familiar with the physical structure of the network of the organization, including the mapping of individual subnets, routers, and the areas of the network that are connected by means of slow links. The site topology owner is responsible for the following tasks:
Understanding the physical network topology and how it affects Active Directory.
Understanding how the Active Directory deployment will impact the network.
Determining the sites that need to be created.
Updating server objects for domain controllers when a subnet changes.
Creating site links.
The site topology owner is a service owner.
The OU owner is responsible for managing data stored in the directory. This individual needs to be familiar with the operational and security policies that are in place on the network. OU owners can only perform tasks that have been delegated to them by the service administrators and they can only perform those tasks on the OUs to which they are assigned. Some tasks that the OU owner might be assigned include the following:
Performing all account management tasks within their assigned OU.
Managing workstations and member servers that are members of their assigned OU.
Delegating authority to local administrators within their assigned OU.
The OU owner is a data owner.