ITS LANNOS
LNGS Home
U-M Windows Home
U-M Forest
Security
ITCS Services
Central Accounts
Windows Update Service
Exchange
How To
FAQ
Development
Help
Internal
change UMROOT password

Last Updated: October 22, 2009

U-M Windows Central Accounts Service

Joining the U-M Windows Forest as a Delegated Organizational Unit

  1. A request form following form needs to be completed and sent to w2Ksupport@umich.edu. The form is plain text. Please complete it and include it in the body of an email.

    Click here for the form.

  2. Admin Accounts Assigned

    Up to three administrative accounts named -ouadmin<#> (where # is a number between 1 and 3, i.e. itcs-ouadmin1) will be created and added to a group named -ouadmins. This group will be assigned permissions to manage your delegated OU. Your ouadmin accounts will have permission to add other users to your ouadmin group.
     
  3. Organizations and Accounts OUs

    ITCS will create two delegated OUs: one in the Organizations OU and another in the Accounts OU. Both of these OUs are in the UMICH branch of the root domains in the production and test forests.

    Organizations\Your OU

    The first OU is the standard delegated OU in the Umich\Organizations branch of AD. The group, <departmentprefix>-ouadmins, has full rights over this OU and you can use it for any purposes you want including additional OUs, computers, servers, groups, Group Policy, etc.

    Username Naming Conventions

    Administrators can also create non-uniqname AD accounts in their Organizations OU. These accounts must be named so as not to conflict with any current or future uniqnames (which are 3-8 character alpha names). Using your OU department prefix, putting a dash in the name, or appending a number will work, <departmentprefix>-uniqname. For many of our administrative type accounts we find that appending a 1 to the uniqname works well.

    Accounts\Your OU

    The second OU is the Central Accounts Delegated OU in the Umich\Accounts branch of AD. This OU contains uniqname users that you have requested to manage that have the ability to use Kerberos pass-thru authentication. The <departmentprefix>-ouadmins group has rights over some of the user attributes and full rights over Group Policy. You will not be able to add or delete any objects in this OU.

    If you want to add or delete members to this OU, you will need to fill out the form discussed above in the Request Process to Move Users  section. Just fill in the organizational information and the uniqnames you want to manage in the users section. Any users added to this OU are also added to the <departmentprefix>-all-users group that you can use for whatever you want.
     

  4. Bootstrap Computer

    Within the newly created Organizations OU, the forest administrator needs to create a "bootstrap" computer and delegates the rights to join this computer to the <departmentprefix>-ouadmins group. Once this bootstrap computer is joined to the forest, it can be used to mange both delegated OUs. When you specify the account to join the computer to the forest, use the form <domain>\<account>. For example, UMROOT\itcs-ouadmin1. The bootstrap computer can be any client or server at least Windows 2000 SP3, Windows XP SP1 or newer.

    If you use a Windows XP computer, you may have to change the following setting before joining the forest because of the increased security settings we have implemented. Failure to make this change could result in not being able to join the computer to the forest. Go to Start->Programs->Administrative Tools->Local Security Policy. In the Security Option section, you must edit the "Network Security: LAN Manager Authentication Level". Change the setting to "Send NTLMv2 response only/Refuse LM & NTLM".

    Naming Conventions

    When naming computers, you should prefix the computer name with your W2k organizational prefix. Keep in mind that when moving from the W2k test forest to the production forest, the computer names must be different, i.e. the computers in the test forest must not have the same names as computers in the production forest.

    DNS

    When joining your computer to the UMROOT production forest, the "Primary DNS suffix for this computer" will automatically be set to "adsroot.itcs.umich.edu " and it's DNS name will automatically be registered using Dynamic DNS. In the test forest the DNS suffix will be " adsroot.itd.umich.edu".

    When setting up this first computer and subsequent computers, set up the DNS client to access campus DNS servers at the following addresses:

    141.211.125.17
    141.211.144.17

    WINS

    If you are using WINS you can specify the NetBIOS domain name of UMROOT or ADSROOT, otherwise you should specify it with the full domain DNS name of adsroot.itcs.umich.edu for production or adsroot.itd.umich.edu for the test forest.

    You can use your own standalone WINS servers or optionally set up WINS to point to the ITCS campus WINS servers. Once you are in production, you can continue to use the campus WINS servers or you can install a WINS server that replicates with the campus servers - it's your choice.

    Campus WINS Servers: Production and Test Forest
    Primary WINS server 141.213.238.150
    Secondary WINS server 141.213.143.150
     
  5. Administering Active Directory

    For more information on using Active Directory see Windows How-to web pages