|
Active Directory : Tech-Pages
UIC AD Active Directory Guidelines
We strongly recommend departments use the UIC AD Forest as the primary tree for Windows 2000/2003 on campus. This document explains the basic guidelines departments are required to follow when participating in the UIC AD Forest. We have instituted these guidelines in order to make all of our computing lives easier at UIC.
Using the UIC Campus AD Forest
OU Naming Convention
Departments may elect to have their own branch in the Active Directory forest. All departmental OUs will be created under the DEPTS branch in the AD.UIC.EDU domain.
It is required that each OU be named with the unit portion of the current DNS domain name. For example, if your domain name is accc.uic.edu then your OU would be named ACCC. Your full path in the Active Directory would be ACCC.DEPTS.AD.UIC.EDU.
Active Directory User Accounts
Campus user accounts are automatically created from UIC NetID’s. Password resets will be available via a ACCC web Page. Campus user account names are identical to the associated UIC NetID, so will not exceed 8 characters in length.
Departments are encouraged to use the ACCC created accounts because they have the common password associated to them. The ACCC grants access to the accounts so you can add them to groups and assign rights to your servers and file shares. The ACCC will not move the accounts outside the "Accounts" containter because the auotmatic tools managing the accounts (password changes) will break. Even ACCC Lan administrators do not modify the AD accounts because all management is done programatically through access from the central database on our Unix systems.
OU administrators may create user accounts in their OU’s. Names of user accounts created within departmental OU’s must exceed 8 characters in length to guarantee uniqueness from potential UIC NetID’s. The ACCC may delete or rename accounts that are less than nine characters in length at any time without notice.
Group Policy Names
It is recommended that you give your Group Policy Objects (GPOs) a unique name by including your department in the first part of the name. If my department OU name is ACCC then my GPO name should start with ACCC. For example:
ACCC Labusers GPO
ACCC Computers GPO
ACCC MMC
The added benefit to following this rule is that all your GPOs will be together when you browse the list in the AD.UIC.EDU domain. The ACCC will not intervene in GPO naming conflicts unless this convention is used.
Group Naming
The following naming conventions for group should be followed so the group names are unique. Your OU name should be included in the first part of your group name. We also encourage you to put a group type indication in the name so you can easily determine which of your groups are global or domain local.
Use "DL" to designate Domain Local Groups
Use "GG" to designate Global Groups
For example, if my OU is ACCC and I am creating a global group for office workers the name would be:
ACCC GG Office Workers
Now, if I am creating a domain local group the name would be:
ACCC DL Office Workers
This naming convention allows your groups to be listed together and in the event of a conflict the ACCC will not intervene if this policy is not followed.
Computer Names
In order to ensure uniqueness for WINS, OU administrators need to include the unit portion of the UIC DNS name in the first 15 bytes of the computer name. This suggestion must be followed to avoid NetBIOS name conflicts. The ACCC will not intervene in NetBIOS naming disputes if this requirement is not followed.
It is also required that the same name be used for both the computer DNS hostname and the NetBIOS name. As an example, if the current DNS name is homer.cc.uic.edu, then the NetBIOS name would be UIC-CC-HOMER and the Active Directory DNS name would be uic-cc-homer.ad.uic.edu
DNS Entries
Computers and servers must have their IP information registered with the ACCC - Networks group. This policy is enforced for all departments on campus including those behind firewalls.
Domain Name Servers (DNS Servers)
UIC Campus AD users can set the clients to utilize the following AD DNS server.
131.193.68.141
131.193.68.142
131.193.68.143
Server Roles
If a department has a file server they with to manage they can publish the server resource in Active Directory. The server must be a stand alone server; it cannot hold any forest or domain FSMO roles**.
PC Security
The recommendations under the security section of this web site must be followed for all machines in the AD forest.
External Trusts
External trusts will not be allowed into or out of the UIC AD Forest.
*Portions of this page were provided by CITES at the University of Illinois Urbana-Champaign.
** FSMO, Flexible Single Master Operation Roles will be maintained by the ACCC for AD.UIC.EDU
|
