Windows Services Index | Overview | Getting Started | How To | Forest Design | Resources | Troubleshooting | Policies | Contact Info

Getting Started with Active Directory

To start with Active Directory, you need to understand the Windows environment at Penn State. For a good overview of the Forest's purpose, guidelines driving the design, as well as the Forest design, click here. After examining the Forest's layout and how Active Directory works, choose the best option for your organization. Next, apply for that option; upon application, you will receive the necessary accounts and passwords. Finally, use the How to section of this site to guide you in your implementation.

Currently, four options exist for utilizing Penn State Windows Active Directory Service: join as an OU in the ACCESS domain, join as an OU in a Child Domain, join as a Child domain, or use a Direct Trust for authentication. Your organization's best option depends on its organization needs and its supporting capabilities. Each option is outlined below:

1. OU under the ACCESS domain:

This option is recommeded for most organizations at the University Park campus. The option allows for an organization to utilize the Kerberos trust without managing a domain. In this scenario, all domain issues (such as account management, Domain Controller maintenance/management, and infrastructure disaster recovery) are taken care of by ACCESS administrators. Your organization is responsible for managing its client PCs and any services provided from its servers. Most administrative tasks are still possible--you may still manage PCs, servers and Group Policy Objects (GPOs), but slight differences exist for adding machines and creating GPOs in this environment.
• Pros:
1. Easiest to start and implement
2. Domain administration is taken care of
3. Domain infrastructure is managed and maintained
4. Domain infrasctructure disaster recovery is taken care of
5. Account management is taken care of
6. Direct support of ACCESS admins
• Cons:
1. Least control outside your OU of other options
2. Global changes such as schema extension must be approved and tested before implementation

2. OU in a Child Domain:

This option is recommended for most organizations that are looking to work closely with a parent organization. The option allows for an organization to utilize the Kerberos trust without managing a domain. Your role in the domain, as well as permissions and controls, are all subject to the policies and procedures outlined by the parent organization.
• Pros
1. Account management is taken care of
2. Direct support of parent organization administrators
3. See parent organizations policies and procedures for more on this
• Cons
1. See parent organizations policies and procedures
2. Global changes, such as schema extension, must be approved and tested before implementation.

3. Child Domain

This option is recommended for for very large organizations with smaller organizations under it. The option allows for organizations to create a community and provide it with specialized support. This option is extremely complex and it requires more administrative overhead than other options.
• Pros
1. Account management is taken care
• Cons
1. More difficult to get started
2. Requires most maintenance of the options
3. Requires more management than most options
4. Global changes such as schema extension must be approved, tested, and implemented

4. Direct Trust:

   This option is recommended for most organizations that already manage a domain with user accounts in it. This option requires your organization to administer everything. The only support from the ACCESS domains is in setting up the trust.
   • Pros
   1. Gives your organization complete control over everything
   • Cons
   1. Least support from ACCESS admins
   2. Must manage accounts for themselve

Applying for access to one of the options

The application process consists of the following steps:

1. Read and understand the policy document.
2. Send an e-mail request to win-ad@aset.psu.edu to request an OU application form.
3. The WIN-AD Team will pre-create and delegate the appropriate domain objects and accounts.
4. Finally, you will receive your administrative accounts and passwords.
5. Follow the directions to install the first PC in your OU.

The application process consists of the following six steps:

1. Read and understand the policy document.
2. Send an e-mail request to win-ad@aset.psu.edu to request a CD application form.
3. The WIN-AD Team will pre-create and delegate the appropriate domain objects and accounts.
4. Finally, you will receive your administrative accounts and passwords.
5. Follow the directions to install the first DC in your Child Domain.

The application process consists of the following six steps:

1. Send an e-mail request to win-ad@aset.psu.edu to request a DT application form.
2. The WIN-AD Team creates the trust principle in the dce.psu.edu realm.
3. Finally, you will receive your trust password.
4. Follow the directions to setup the trust.