Active Directory Questions?

Questions

What is Active Directory?
What is the campus Windows AD Domain?
What is a forest?
What is a tree?
What departments should consider joining the AD domain?
How can I do a remote install of an operating system?
What is the purpose of the AD password reset?
Can I have my own AD infrastructure?
How do I prepare to join the AD domain?
What Operating Systems are supported on the AD domain?
What is an Organizational Unit (OU)?
What is inheritance, and how does it work?
How do I administer my OU?
Can departments block ou's on their parent?

Answers

What is Active Directory?
The Windows directory service that stores information about all objects on the computer network and makes this information easy for administrators and users to find and apply. With the Active Directory, users can gain access to resources anywhere on the network with a single logon. Similarly, administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure.

What is the campus Windows AD Domain?
Active Directory is the directory service in a Windows network. The directory service stores information about network resources and makes the resources accessible to users and applications. Andrew Windows includes the ad.cmu.edu forest root domain. This is the top level naming structure. Andrew Windows also includes the andrew.ad.cmu.edu domain within the forest.

What is a forest?
A forest refers to an organizational structure that is a group of one or more trusted Windows trees. A forest shares a schema and global catalog servers. A single tree can also be called a forest.

What is a tree?
A tree is basically a domain or domains connected together in a hierarchy. The trees are linked together via a two-way transitive trust, sharing a common schema, configuration, and global catalog.

What departments should consider joining the AD domain?
For departments running Netware, this is a great migration strategy. Departments interested in single sign-on andrew accounts, cross-departmental information sharing, automating machine installs via RIS and GPO's, NT4 departments, domains with limited support personnel, and departments running stand-alone Windows 2000 or 2003 Servers are some of the reasons to consider the AD domain.

How can I do a remote install of an operating system?
Many newer computers support the PXE standard that is built in the latest network adapters that will let you install an operating system. Because no CD is required you can build many machines much faster. You can also have software deployed that you've defined in a Group Policy Object.

What is the purpose of the AD password reset?
If you are accessing an Active Directory resource (such as a shared folder) from a non-Kerberos computer (Win9x, WinNT) or a non-domain machine, you are required to reset your Active Directory password. Client Machines use Kerberos referrals to get credentials from the Andrew UNIX KDC's.Therefore, machines that can not understand the Kerberos referrals need to directly set the Active Directory password.

Can I have my own AD infrastructure?
DNS Support for External Forests will be available via NetReg, and the forest structure will reside under "win.cmu.edu". Send Domain request to netdev@andrew.cmu.edu; Specifing Domain name (e.g. example.win.cmu.edu) andDomain Controllers (e.g. dc1.example.win.cmu.edu, dc2.example.win.cmu.edu).

How do I prepare to join the AD domain?
You must have administrative access to a Departmental Organizational Unit (OU). To request an Organizational Unit (OU) for your department send Email to advisor@andrew.cmu.edu. You will also want to refer the documents available on this website.

What Operating Systems are supported on the AD domain?
Only modern Windows computers and servers are permitted to be part of the AD domain.

What is an Organizational Unit (OU)?
A Windows OU is an organization unit (a directory container) for grouping similar accounts or machines. OUs are used to provide a means of delegating authority over a group of accounts or machines to a person (the local administrator).

What is inheritance, and how does it work?
Group Policy is passed down from parent to child containers within a domain, which you can view by using the Active Directory Users and Computers snap-in tool. If you assign a specific Group Policy setting to a high-level parent container, that Group Policy setting applies to all containers beneath the parent container, including the user and computer objects in each container. You can block policy inheritance at the domain or organizational-unit level by opening the properties dialog box for the domain or organizational unit and selecting the Block Policy inheritance check box.

How do I administer my OU?
From a computer that is on the AD domain you will install the the Active Directory Users and Computers snap-in tool. The tool is located on the Windows Server installation CD in the \i386 directory. Run adminpak.msi to install it.

Can departments block ou's on their parent?
Group Policy Objects applied at a parent level in Active Directory will be applied to all child objects. Currently, there is one Group Policy Objects being applied at the Domain level of the tree. The Andrew Core GPO configures domain machines to function with the core Andrew Kerberos applications (e.g. NiftyTelnet, KerbFTP, Oracle Calendar, Mulberry) and is inherited by all machines in the Andrew Domain.
You can block Top Level Group Policy Objects from being applied at the Organizational Unit (OU) level. Blocking prevents inheritance of GPO's from parent objects, but they can still be explicitly assigned at the Organizational Unit (OU) level.