Acceptable Use Policy
All users of the UIUC Active Directory are bound by the UIUC Information Security Policy and Acceptable Use Policy. These encompass policy requirements for software licensing, security, and unauthorized use for the computing infrastructure in general, but apply specifically to systems networked through the UIUC Active Directory. For more information, please review the official policies at the
Information Security Policy page and the
Policy on Appropriate Use of Computers and Network Systems at the University of Illinois at Urbana-Champaign page.
Access control
OU Administrators are granted full control of their OU and may edit the Access Control List (ACL) for any objects created within their OU. Any ACL changes are made at the administrator’s discretion, and the UIUC Active Directory Support Team does not provide support for editing ACLs, determining effective permissions, or troubleshooting problems that stem from improper or poorly chosen ACLs.
File and Folder ACLs may also be deployed through the use of Group Policy Objects, providing complete centralized control and security over a department’s computing resources. See the Group Policy section for more information.
AD Client Extensions
Active directory client extensions are available for Windows 98/ME and Windows NT to provide more secure authentication and resource access. Since the AD Client Extensions are considered part of the unsupported operating systems and are no longer supported by Microsoft, CITES no longer provides any type of support for using Client Extensions in conjunction with the UIUC Active Directory. For more information, see Microsoft's archived web pages on
Active Directory Client Extensions.
Backups
The UIUC Active Directory is backed up on a daily basis. This includes all containers, the Campus Accounts OU, and all departmental OUs. The backup is provided for disaster recovery purposes in the event that the domain needs to be completely restored. OU Administrators that wish to back up more frequently are encouraged to use the LDIFDE utility to export object data. See the
Restoring Objects entry on this page.
Client Access License
Click here to see
Microsoft's overview of Windows XP client access licensing. Any system authenticating to UIUC AD must have current licenses for its machines.
Computer accounts
In order to ensure uniqueness for WINS, OU administrators should include the unit portion of the UIUC DNS name in the first 15 bytes of the computer name. If this suggestion is not followed, CITES will not intervene in NetBIOS naming disputes. CITES also recommends that the same name be used for both the computer DNS hostname and the NetBIOS name. For example, if the current DNS name is moe.cites.uiuc.edu, then the NetBIOS name would be CITES-MOE and the Active Directory DNS name would be CITES-moe.ad.uiuc.edu.
DHCP servers
To deploy Dynamic Host Configuration Protocol (DHCP) on a server running Windows 2000 Server or Windows Server 2003 that is a member of Active Directory, the server must be authorized. Administrators must contact the Active Directory Support Team using the
Contact Us web form and provide the hostname and IP address of the server in question. Once authorized, the DHCP server can be configured for use. If the IP address changes, please provide the new hostname and address, as well as the old hostname and address that can be removed from the authorized list.
Distributed File System
Departments may request a Distributed File System (DFS) “Domain Root” to be published in the UIUC Active Directory. DFS allows administrators to group shared folders from different servers into a common DFS namespace. For example, if CITES had a shared folder called “Documents” on server “SERVER01,” instead of referencing the shared folder as
\\SERVER01\Documents, a Domain DFS root can be configured to reference it using
\\ad.uiuc.edu\CITES\Documents. The users need not know the physical server that contains the shared folder, which is especially helpful if the shared folder is moved to a different server.
Administrators may contact the Active Directory Support Team using the Contact Us web form with DFS requests, which should include the following:
- The server name of the server to host the DFS root (The server must be a member of the UIUC Active Directory.)
- The preferred name of the DFS root (CITES recommends using the department name or abbreviation that was used for the original OU creation.)
- Confirmation of temporary addition of UIUC\Domain Admins in the server’s local Administrators group in order to establish the DFS root share (Note: A shared folder will be created that is the same name as the DFS root. This is the DFS root share. Its name must not conflict with any existing shared folders on that server.)
Once the DFS root share (the “root target”) has been established, the DFS root object in the UIUC Active Directory is fully delegated to the OU Administrator(s) for that department. Administrators can subsequently remove UIUC\Domain Admins from the local Administrators group. Administrators may now manage the DFS root using the “Distributed File System” snap-in utility in the Microsoft Management Console. From here, administrators can link the actual shared folders (“link targets”) for resource use or add additional root targets.
For more information about how Distributed File System works, visit Microsoft's Distributed File System and File Replication Services.
DNS configuration
The DNS configuration on servers and workstations that have joined the UIUC Active Directory should be configured to use the same DNS servers as non-Active Directory systems. For most systems, these are the
UIUC DNS Servers. Only two servers can be set from the Properties form, but using the "DNS" tab from the Advanced Settings form will allow more to be specified.
Systems running Windows 2000 or later dynamically register only in the ad.uiuc.edu domain, using the following settings:
- The "Primary DNS suffix for this computer" is set to ad.uiuc.edu.
- The "DNS suffix for this Connection" is set to <yourcampusdnszone>.uiuc.edu.
- The "Register this connection's addresses in DNS" is enabled.
See MS KnowledgeBase article 240943 for more information.
DNS naming
Active Directory uses DNS for name resolution instead of the older WINS name resolution. CITES CommTech manages the DNS namespace below uiuc.edu and does not, in general, give out subdomains below this name. CITES CommTech has delegated the DNS zone ad.uiuc.edu to the UIUC Active Directory; this delegation provides the DNS services necessary for proper operation of the UIUC Active Directory service.
Domain trusts
The UIUC Active Directory service supports only NTLM external one-way (inbound) trusts to the ad.uiuc.edu (UIUC) domain. That is, any departmental domain can be configured to
trust the UIUC domain. No other types of trusts are supported, including forest-level trusts.
Departments that operate their own Windows NT 4.0 domain or Active Directory forest may contact the Active Directory Support Team using the Contact Us web form to request a one-way trust. The department must provide the domain name. A one-time shared password will be provided to establish the trust relationship on both ends.
It is understood that the department network administrator is familiar with Windows networking and trust behavior. Support and troubleshooting of trust relationships is beyond the scope of AD Support. A department needing assistance may purchase fee-based support from CITES OnSite Consulting.
Down-level clients
Systems running out-of-date operating systems are considered “down-level” clients. Today, this includes such operating systems as Windows 98, Windows ME and Windows NT. Down-level clients can connect to Windows 2000 Server or Windows Server 2003 servers, but they will not realize all the benefits of Active Directory. Windows 2000/XP clients use Kerberos to authenticate to the Active Directory. Down-level clients continue to use NTLM authentication just as if the Active Directory were on a Windows NT domain.
Enterprise administrator access
A common source of concern is the extent of access privileges of enterprise administrators in Active Directory. Enterprise administrators have enterprise-wide administrator access to Active Directory objects.
Enterprise administrators have full control over the configuration container for the Active Directory, and they have the ability to take ownership of any object in the directory. This means that an enterprise administrator could take ownership of a particular machine's accounts in the Active Directory database, but this ownership is not sufficient to gain access to files. Department administrators can configure their machines so that enterprise administrators can not log in locally to the machine or access any of the machine's files.
If an enterprise administrator takes ownership of a machine's account in the Active Directory, he or she would still be unable to log in to the machine without a local administrator account. Department administrators can implement the security inherent in the Windows 2000/XP Encrypting File System for any files residing on an NTFS5 volume. Other security technologies (e.g., firewalls and IPsec) can be used to further protect local resources.
Exchange Email
CITES provides Exchange email services to faculty, staff, departments, and colleges at the University of Illinois. Find out more about this service at the
Exchange Services page. Departmental Exchange servers in the UIUC Active Directory are not supported.
Group Policy
Group Policy is one of the most compelling reasons to use the UIUC Active Directory for centralized administration of resources. The flexible management features of AD strengthen security by facilitating policy-level control of IT policies, software distribution, and security settings across your entire OU.
Group Policy and Security settings can be implemented at the OU level as the administrator sees fit. However, in order to create Group Policy Objects linked to your OU, the administrator must be a member of the “Group Policy Creator-Owners” group. This group is a domain-wide group, since Group Policy Objects (GPOs) are stored in a domain-level container (not within the OU). Because of the complexity of Group Policy and the risks associated with misconfigured policies, only two administrators
per top-level OU are permitted, if they fulfill the requirements. The administrator is required to complete the CITES FAST3 training course Implementing Group Policy in the UIUC Active Directory, or provide proof of passing an equivalent Microsoft Certified Professional exam. Administrators must send lists of their class completions to the Active Directory Support Team using the Contact Us web form in order to request this permission level.
The Group Policy Management Console with Service Pack 1 (GPMC) is the recommended choice for managing and editing Group Policy Objects. To avoid version incompatibilities, a single workstation should be designated for editing policies. Once the GPMC is used to edit policies, avoid any further editing with older versions or with the older Group Policy Editor.
For more information, visit Microsoft's Technology Center on Group Policy.
LDAP queries
The UIUC Active Directory is also an LDAP server. Programmers may wish to
connect using ad.uiuc.edu port 389 for basic LDAP, or port 636 for LDAP over SSL.
Contact AD Support for more advanced information on using LDAP and available SASL
mechanisms for authentication.
Macintosh
All Macintosh OS X machines are
down-level clients in AD. Please note that Macintosh OS X versions 1
0.? and later have AD plug-ins available; however, some versions of the OS have been known to break. Machine accounts must be pre-staged in Active Directory by a designated OU Administrator before the system can be joined to the domain. For complete instructions on joining Macintosh machines to AD, see the
Macintosh on AD page.
MIT Kerberos authentication
To allow users to log on to a Windows 2000/XP machine using their NetID and Kerberos password, you need to configure the machine so that it can find the campus KDC. Click here to see the complete instructions at the
Configuring Windows 2000/XP Computers to Log On Using UIUC NetID page.
OU creation and naming
Any UIUC department, college, unit, or affiliate group may request a top-level Organizational Unit (OU) in the UIUC Active Directory. At least one "OU Administrator" must be designated. The designated administrator(s) must be permanent employees of the UIUC campus. Upon creation, the OU is fully delegated to the designated OU Administrator(s), who may place any objects or additional OUs as bound by the Active Directory guidelines.
Employees wishing to "join" an already-existing OU Admin group for their department must contact a previously designated OU Admin or department head for permission prior to the request. It is also the OU Administrator's responsibility to notify the Active Directory Support Team of any changes in administrators for their OU using the Contact Us web form.
CITES recommends that each OU be named with the unit portion of the current DNS domain name. For example, if your domain name is cites.uiuc.edu then your OU would be named CITES.
OU planning and support
OU administrators will be asked to provide documentation of their current network/OS environment before their OU is created. A form (
Applying for an Organizational Unit in the UIUC AD) for documenting your network/OS environment is available. OU administration support from is available through
CITES OnSite Consulting (333-8628) for an hourly fee. Windows Server 2003 Active Directory OU administration training is available through
CITES Training (333-6285).
Recommended tools
The primary tool for managing objects in your OU is the "Active Directory Users and Computers" tool, a snap-in for the Microsoft Management Console (MMC). This snap-in is part of the Windows Server 2003 Administration Tools Pack, available for
download from Microsoft, or using the installer \i386\adminpak.msi on the Windows Server 2003 distribution CD-ROM. Download or locate the adminpak.msi file. Right-click and choose "Install..." from the menu.
NOTE: The Windows Server 2003 version of adminpak.msi requires Windows XP Professional with SP1 or greater.
Restoring objects
OU Administrators may request to have one or more deleted objects restored by contacting the AD Support Team using the
Contact Us web form . Please provide the original LDAP path of the deleted object(s). CITES will make every effort to restore the objects to their original state; however, there are no guarantees as some attributes may not be restored or recoverable.
Although most restores can be done in a timely manner, some types and quantities of restores may take up to three (3) business days to complete. The AD Support Team reserves the right to charge a fee on a time and materials basis for the effort involved with restores.
Individual units/departments are encouraged to properly document their OUs for easier recovery. Those wishing to implement their own backup/restore mechanism are encouraged to do so. Some commonly used command-line tools are LDIFDE and CSVDE, provided by Microsoft on the installation media for Windows 2000 Server and Windows Server 2003. For more information on these tools, refer to Microsoft Knowledge Base articles 237677 and 327620. Other third-party tools are available as well. The Active Directory Support Team does not provide any support with these utilities.
RIS servers
Because RIS Servers use the Dynamic Host Configuration Protocol (DHCP) for deployment, these servers require DHCP authorization in the UIUC Active Directory. Administrators must
contact the Active Directory Support Team
and provide the hostname and IP address of the server in question. Once authorized, the RIS server can be configured for use. If the IP address changes, please provide the new hostname and address, as well as the old hostname and address that can be removed from the authorized list.
Schema extensions
The UIUC Active Directory uses the default schema for the Windows Server 2003 forest
functional level, with extensions added for support of Microsoft Exchange Server
2003. Additional schema extensions may be considered if they are a prerequisite
for a Microsoft-supported product or server. Contact
the Active Directory Support Team for more information.
Service Level Agreement
A Service Level Agreement (SLA) is a CITES agreement for subscribers to AD service. It includes information on terms and conditions of the service, duration of the agreement, hardware and software requirements, cost and availability, and technical support. Click here to see
the AD SLA.
Support responsibility and escalation
Tasks such as account creation, deletion, and password changes will be handled automatically. Administration of network resources such as shares, network applications, connectivity issues, managing user groups and ACLs, and other responsibilities remain under local control. All administrative functionality within an OU is granted exclusively to local administrators.
Test forest
A test forest, "adtest.uiuc.edu" (short name: ADTEST), is available for OU administrators wishing to test automated scripts, policies, or other Active Directory-related technologies. Administrators can set their password at the
AD Test Password page. When prompted for authentication, use your regular Active Directory NetID and password. The Campus Accounts OU is synchronized once per semester, so newly hired employees may not yet have access to the forest.
Administrators requesting or managing an OU in ad.uiuc.edu may also request an OU in adtest.uiuc.edu. The OU in adtest.uiuc.edu can be used for testing any scripts that automate creation of objects before they are run in the production OU. Workstations and servers can be joined to adtest.uiuc.edu, just as they would be to ad.uiuc.edu.
Note: The test forest may be down or out of service at any time without notice. "adtest.uiuc.edu" must not be relied on for production purposes.
User accounts
Campus user accounts are automatically created from UIUC NetIDs for all students, faculty, and staff. The only "manual" administration available for these user accounts is the resetting passwords through the
CITES Password Home Page and unlocking accounts through the
AD Account Unlock Page. Campus user account names are identical to the associated UIUC NetID; therefore, they do not exceed eight characters in length. OU administrators may create their own user accounts in their OUs. Names of user accounts created within departmental OUs must exceed eight characters in length to guarantee uniqueness from potential generated UIUC NetIDs.
Note: CITES reserves the right to delete or rename an OU's user accounts that are less than nine characters in length at any time without notice in order to avoid such conflicts.
WINS
Although the Windows Internet Naming System (WINS) is an older technology replaced by traditional DNS in Active Directory, it is still widely used and needed by a variety of older Windows components and applications still in use. While WINS is managed separately from Active Directory, careful consideration of WINS should be made with respect to naming computer accounts within the UIUC Active Directory. See the
Computer Accounts entry on this page.
Clients should be configured to use the following IP addresses for WINS name resolution:
128.174.5.30
128.174.5.31
WINS configuration is optional -- if the OU administrator has determined that there is no dependency on WINS name resolution for any of the department's services, it can be omitted.