|
|
|
Domains outside the Forest will not be allowed to maintain or create a trust relationship with the ACCESS domain, except for those domains that are in the process of migrating to the tree. The ACCESS domain will not trust domains outside the Forest for any other reason. Domain migrations should occur in a timely manner to reduce a prolonged security risk via the trust, and the trust relationship will not be allowed for an indefinite period of time. Child Domains may trust a domain external to the Forest, but only for migration reasons.
Each Child Domain is responsible for the installation, operation, and maintenance of their respective DNS servers. These DNS servers will be responsible for the five domain subzones that contain SRV records. These include:
Each Child Domain and OU is responsible for the maintenance of DNS records for individual machines that reflect the organizations hierarchy. The machine DNS suffix will not match the Active Directory® domain name. For example: a machine in the ACCESS.PSU.EDU domain would be called dc-ws1.access.psu.edu in a Microsoft-centric environment. In this environment, a machine in the ACCESS.PSU.EDU domain would be called dc-ws1.aset.psu.edu. The machine name dc-ws1.access.psu.edu can be maintained by the organization or by ASET/ITS, which ever way is permitted per the organization’s setup decision. However, the organization will install, operate, and maintain the five domain sub-zones listed above on their respective DNS servers.
A Child Domain must have a minimum of two full-time IT administrators as points of contact for the domain. The Child Domain must provide IP address information for a minimum of two servers to operate as the Domain Controllers for the Child Domain. The equipment used must meet minimum recommended hardware specifications from Microsoft® for Windows® 2003 servers. At minimum, the following information is required:
The Domain Controllers may operate only as Domain Controllers. This means that the only services they can run are Kerberos, LDAP, and DNS. Additional software may not be installed on the Domain Controllers.
Each Child Domain is responsible for the installation, operation, and maintenance of their respective Domain Controllers. This includes, but is not limited to, patching, upgrading, and recovering the domain. The Child Domain must have a published disaster recovery plan. This plan must include at least Active Directory® database corruption, data corruption, and hardware failure. Any Child Domain is welcome to test the effectiveness of their respective backup and disaster recovery systems in the separate testing environment maintained by ASET/ITS.
A Child Domain may install, operate, and maintain a Domain's own WINS server. This server must be configured to replicate with a WINS server in the root domain ACCESS.PSU.EDU. An OU may setup client machines to use one of the WINS servers in the ACCESS.PSU.EDU domain.
DHCP server authorization requests must be sent to
It is the intention of the WIN-AD Team to not force group policies down to an OU or Child Domain; however, the WIN-AD Team reserves the right to do so as necessary. Any group policies applied to the Domain user’s OU containing all skeleton accounts may be overridden in an organization.
The Pennsylvania State University ©2006. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.
Problem reports and requests for assistance should be directed to ITS Help Desk staff.
Last revised: Tuesday, March 14, 2006.