This paper presents a proposal for Riordan Manufacturing’s Active Directory design. The design highlights the number of forests and domains, DNS server placement, and key roles placement in Active Directory design. The proposal also highlights how users would be organized into groups as well as how groups will be nested.
The Active Directory design: Riordan Manufacturing
The Active Directory for Riordan Manufacturing would be used for storing domain data and information in a format that is searchable. This information would include network resources such as user and computer accounts, groups, Group Policy Objects (GPOs), printers and plotters, and access control lists (ACLs). The Active Directory design would be based on a single forest – single domain model. The structure of the Active Directory would be characterised by forests and trees, organization units, and groups.
Forests and domains
The proposed Active Directory would consist of a single forest, a single root domain, and four child domains within the root domain. The forest will contain all the objects of the Active Directory. The four child domains correspond to the four entities of the company: the California entity, Georgia entity, and Michigan entity within America as well as the joint venture in China. The allocation of a domain for each site is to provide adequate resources needed by the entities (Microsoft, 2005). More domain controllers would be deployed since each domain had to have a domain controller, and therefore, make the active directory efficient. There would be increased costs with increased domains, but the increased needs of the organization justify these costs. The root domain namespace will be riordan.com. Therefore, the child domains namespace will be HQ.riordan.com, PBCP.riordan.com, CPPP.riordan.com, and PFP.riordan.com representing the California, Georgia, Michigan and China entities respectively. The root domains will be set to a native mode configuration.
The HQ.riordan.com domain will consist of six child domains corresponding to six logical divisions. These logical divisions can be recognized as the finance, information technology, sale & marketing, legal, operations, and human resource divisions with the following namespaces respectively: finance.HQ.riordan.com, IT.HQ.com, marketing.HQ.riordan.com, legal.HQ.riordan.com, operations.HQ.riordan.com and humanresource.HQ.riordan.com.
The PFP.riordan.com domain will contain five child domains, which will correspond to the various logical divisions for the china-based joint venture. Therefore, the child domains within the PFP.riordan.com will include the corp.PFP.riordan.com, finannce.PFP.riordan.com, MFG.PFP.riordan.com, MTLS.PFP.riordan.com, and QA.PFP.riordan.com.
The child domains will contain various objects, including users, computers, servers, domain controllers, and applications.
DNS server placement
The primary DNS server for the Active Directory will be placed at the headquarters of the company in San Jose, California. The server will be managed within the root domain of the Active Directory. Three other DNS servers will be placed variously at the China plant premises, at the Albany plant and at the Pontiac plant. This arrangement makes the DNS locally available (Jones, 2005, p. 61).
Placement of key roles in the AD design
Flexible Single Master Operation (FMSO) roles will be assigned to the domain controllers (DCs). These roles include the schema master, the domain naming master, infrastructure master, relative ID master, and PDC emulator (Microsoft, 2010).
The scheme master DC will be responsible for controlling modification and updates to the schema. The domain naming master DC would control the removal or additional of forests from the Active Directory (Microsoft, 2010). The infrastructure master and relative ID master domain controllers would be responsible for updating references, and processing relative ID pool requests respectively. The PDC emulator DC “advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows” (Microsoft, 2010).
Key roles in the Active Directory design will be placed within organization units. These organization units (OUs) will be used for “administrative and delegation purposes” (Ruest, 2003, p. 81). An organization unit will be created to represent each department of the organization. On that respect, the Active Directory would consist of a finance OU, marketing OU, HR OU, operations OU, legal OU, and information technology OU. These organization units will contain various resources relevant to it such as user groups, printers, plotters, IP phones, computers, and servers. The departmental-based OUs will be placed within the respective child domains. For instance, the finance organization units will be located within the finance.HQ.riordan.com and the finannce.PFP.riordan.com domains. Other organizations units corresponding to the plants Albany and Pontiac will also be created. It is worth to note that enterprise administrator will be located in the root domain.
Organizing users into groups
Two types of groups will be implemented in the Active Directory for Riordan Manufacturing: distribution groups and security groups. Distribution groups will be used to “create e-mail distribution lists” (Microsoft, 2000), while security groups will be used for enforcing “security rights” in the network (Ruest, 2003, p. 81). According to Microsoft (2000), security groups are used to control availability of shared resources to computers and users as well as filtering Group Policy configurations.
Users of the Riordan Manufacturing network system would be organized into a number of security groups. An enterprise administrator group will be established within the root domain. All other groups, including some administrators groups, will reside within various child domains.
A single group set to universal scope will be created and placed within the four child domains (HQ.riordan.com, PBCP.riordan.com, CPPP.riordan.com, and PFP.riordan.com). The senior most executives (the president and chief executive officer, senior vice president, and the chief operating officer) will be assigned to this group. The universal scope group will span all the four domains and will have the highest level of access within the network.
Several groups set to global scope will also be created to reside within various child domains. These child domains include domains corresponding to departments at headquarters, and domains for the china plant. The chief finance officer, chief legal counsel, chief information officer, the directors of plant operations at Albany and Pontiac, and all the vice presidents will be assigned to respective groups with global scope. Managers also will be assigned to groups with global scope.
Several groups with domain local scope will be created within various child domains to control the network resources. The resources to be controlled include users, contacts, printers, computers, servers, plotters and other groups. Most lower-level employees will be assigned to the domain local groups. The employees will be grouped according to their roles in the organization. For instance, sales representatives within the marketing department would be placed under a sales representative’s domain local group. Likewise, technicians within the operations department would be placed under a technician’s domain local group.
Machine local groups will also be created to control resources within the department located in the China plant and at the company’s headquarters as well as the plants at Albany and Pontiac. The machine local groups will be nested into the corresponding domain local groups. Users assigned to machine local groups will include individuals who are associated with the company but are not permanently employed such as casual worker and authorized guests.
The groups with universal and global scopes will be nested into the domain local and machine local groups containing various network resources. This nesting of the universal and global groups will allow users and computers within them to access resources controlled by the machine local and domain local groups (Microsoft, 2000). The domain local groups will be restricted within the respective domain, while the machine local will be restricted to respective machine.
Group policy will be used to set security options for the groups (Dias, 2002; Microsoft, 2000). The settings of a group would affect groups within it, or rather child groups. Group policy will also be applied to “manage applications, manage desktop appearance, assign scripts, and redirect folders from local computers to network locations” (Microsoft, 2000).
Reference list
Dias, J. (2002). A guide to Microsoft: Active Directory (AD). Web.
Jones, D. (2005). The definitive guide to Active Directory troubleshooting and auditing. New York: Realtimepublishers.
Microsoft. (2000). Active Directory users, computers, and groups. Web.
Microsoft. (2005). Active Directory best practices. Web.
Microsoft (2010). How to view and transfer FSMO roles in Windows Server 2003. Web.
Ruest, D. (2003). Windows Server 2003: best practices for enterprise deployments. San Francisco, California: McGraw-Hill Osborne Media.