Windows Services Index | Overview | Getting Started | How To | Forest Design | Resources | Troubleshooting | Policies | Contact Info

Forestwide Policies

Joining the Forest

All Penn State organizations may join the Forest. Four options exist for working withPenn State Access Accounts. ASET/ITS fully supports two of those options:

• An OU at the level of the Parent domain (OU) in ACCESS.PSU.EDU as: OrgUnit\ACCESS.PSU.EDU
• A Child Domain in ACCESS as: ChildDom.ACCESS.PSU.EDU

ASET/ITS is responsible for backups and disaster recovery, monitoring, security updates, and patches for the ACCESS Domain and the ASET/ITS root domain infrastructure under ACCESS/PSU/EDU.

ASET/ITS also supports but is not directly responsible for the administration of two additional options for joining ACCESS:

• A one-way trust; ASET/ITS is only responsible for establishing the initial trust relationship
• Joining the ACCESS Forest as an OU under an existing Child Domain

To join the domain, interested participants must complete the application form (included on the last page of this document) and e-mail it to . The form Windows Active Directory® at Penn State Policies 6/30/05 3 lists all requirements, including the designation of the organizational points of contact, each of whom will be responsible for the installation, operation, and maintenance of the Child Domain or OU. By joining the Forest, participants must agree to abide by all of the regulations and policies ASET/ITS has defined in this document, in addition to applicable security and computing policies, guidelines, and regulations already established at the University. Please refer to for information.

Once the application is approved, each designated contact will receive an administrative account, which he/she will need to use for installation and administration of the Child Domain or OU. No matter which option is chosen, ASET/ITS endeavors to delegate complete administration roles and responsibilities for the Child Domain or OU to the designated points of contact. Child Domain or OU administration will be governed by the organization itself, provided that it will not negatively impact the rest of the Forest.

1. Organizational Unit (OU) in ACCESS/PSU/EDU: This option requires responsibility for client administration only. ASET/ITS handles all domain administration, inclusive of disaster recovery and account management; however, ASET/ITS currently does not offer a Domain Controller (DC) local to organizations' sites.
2. Child Domain under ACCESS/PSU/EDU: This option requires administration of the Child Domain, inclusive of client administration, all domain administration, disaster recovery planning, monitoring of events such as replication, and ensuring the security and stability of the data in the Child Domain. ASET/ITS monitors replication to the unit's machines from ASET/ITS machines but does not do so for machines in the domain. A unit's disaster recovery plan is handled through the unit itself and not through ASET/ITS. If a unit experiences an irrevocable disaster that presents an adverse impact on the Forest, ASET/ITS will orphan the domain. In addition, if a unit cannot recover in a timely manner, ASET/ITS will orphan the domain.
3. One-Way Trust from a separate AD Forest: This option gives units a direct trust to ASET/ITS-managed KDCs. Units are responsible for all administration tasks inclusive of user management, group management, disaster recovery, and all other administrative tasks. A One-Way Trust from other Penn State Forests requires the unit to be entirely responsible for their own systems. ASET/ITS only supports the actual trust relationship to the K5 server.
4. OU in Child Domain: This option requires units to work directly with the Child Domain Administrators concerning their respective policies. They are responsible for all their Child Domain Administration inclusive of disaster recovery as well as local and administrative account management. Child Domains may or may not offer the ability for OUs to create and maintain Domain Controllers. This, as well as any policy within their own Child Domain, is at the discretion of the unit’s policies. In the case where the Child Domain adds another DC for an OU, the Enterprise Administrators for ACCESS.PSU.EDU must be involved.

Leaving the Forest

An organization is free to leave the Forest at any time. In order to leave the Forest, an administrative point of contact must send a request to to arrange removal of either the Child Domain or the delegated OU. This must be done prior to the removal of the last Domain Controller for Child Domains and after the removal of the last object under a unit’s OU. It is extremely important to the health of the Forest that this is arranged before a unit removes its final Domain Controller.

Naming Convention for the Forest

In order to keep all names in the domain unique, each unit will be assigned a two-to-three letter prefix upon joining the ACCESS.PSU.EDU Forest. This prefix must be used for naming groups, computers, group policies, and other objects in Active Directory® created or owned by the unit. A list of prefixes is found in the document Naming Policy for the ACCESS Forest. An administrative point of contact for an organization is responsible for ensuring that all machine names throughout the organization are unique.

Schema Extensions Policy

All schema extensions must be requested by filling out this form. The request will be reviewed and accepted or declined. Schema extension testing will take place in the preproduction environment and will be approved or denied based on the results of the testing. Testing will last a minimum of three months and will continue until all potential conflicts/problems are identified. Approval is based on the overall impact to the Forest. Overall impact is based on, but not limited to, the following criteria:

• Privacy: Sensitivity to the privacy of personal data, per University and federal policy and law regarding institutional data, is mandatory. Please refer to
• Appropriateness: Conflicts regarding data locality are inevitable. ASET/ITS needs to preserve the existing authoritative data sources while balancing the flexibility that a schema extension may create. Data belonging in the Penn State Online Directory (LDAP) should be added there rather than in Active Directory® this prevents ASET/ITS from creating conflicting and redundant sources of data.
• Correct ACLs: The default ownership and security ACLs of objects and attributes implemented by the schema change should be set correctly.
• Conflict: Data in Active Directory® should not conflict with directory objects or attributes.
• Interference: Schema extensions must not interfere with existing production services such as Exchange®, LCS, SMS, etc.
• Sustainability: Sustainability includes items such as the number of added attributes and the load generated on the resources.

Security Policy

Implementations of services that will affect the Forest must be tested first in the preproduction environment. The ultimate goal is to allow organizations and Child Domains the ability to use any of the supported Microsoft® servers and technologies that are safe and stable for the entire community.

The WIN-AD Team, will periodically conduct audits of the Forest to ensure compliance with Penn State policies for the security and safety of the entire Active Directory® community whose production systems rely upon these services. Any Child Domain is welcome to test the effectiveness of their respective backup and disaster recovery systems in the ASET/ITS testing environment. The Enterprise Administrators for ACCESS.PSU.EDU also offer to conduct periodic site visits to any unit running from ACCESS to help determine strengths and weaknesses at a location and to help units work successfully under ACCESS.

ACCESS Enterprise Administrators also reserve the right to take action to isolate any organization or Child Domain in the event of an emergency or in the event that a violation of security has occurred, after notifying and working with the unit (just as ITS's Security Operations and Services currently notifies responsible administrators and requests compromised machines to be removed temporarily from the network until they have been secured). This type of action will be handled in accordance with Penn State policies and guidelines.

Enterprise Administrators will work with any unit in the Forest in the event of an emergency, but ultimately, the WIN-AD Team is responsible for ensuring the stability and security of the entire Forest and will take steps to ensure that a unit’s production systems are not endangered by any unforeseen event.

Policy for Making Adjustments to Current Policies and Procedures

The WIN-AD Team will periodically host "Town Hall meetings and update meetings, open to the public, but specifically targeted for the needs of current subscribers in ACCESS.PSU.EDU. These forums will be designed to allow open discussion and debate of any current procedures and policies. Any unit within the Forest may recommend changes and modifications, either minor to their own scope or large-scale to a Forest-wide schema change.

Current information is documented via the Windows® Services at Penn State site. This site will provide, in addition to the existing overview information, "How To" information, and a Web version of this policy document, required practices associated with subscription to the Active Directory® service. Required practices, in this context, are the policies essential to maintaining the security and stability of the system, inclusive of existing Penn State policies and guidelines. Also included will be suggested Best Practices - a recommended list of resources and operating guidelines and procedures for the Active Directory® community at Penn State.

The WIN-AD Team reserves the right to final decision making in order to preserve the health and security of the entire Forest. Any unit is welcome to test and prove or debate a change by first testing it in the pre-production environment hosted by ASET/ITS for this purpose. Cutting-edge technology will be relegated to the true beta testing environment before being allowed to run in the pre-production environment. Implementations that require schema changes or anything with Forest-wide impact must first be tested within the pre-production Forest by the organizations making the request and any other interested parties.

Enterprise Administrators will work toward maintaining the proper stewardship of the Active Directory® domain, providing stability and conflict resolution. In order to reasonably protect the services and interests of all organizations represented in the Forest, it may be necessary to re-evaluate the deployment of any technology that results in instability of the entire system or that fails to pass testing during the pre-production phase.