Joining the U-M Windows Forest as a Delegated Organizational Unit

Departments that wish to manage user or computer accounts in Active Directory can join the U-M Windows Forest as a delegated organizational unit (OU). During the process, you can refer to Naming Standards for the U-M Windows Forest for information on naming standards as you add accounts and computers during this process.

To join the U-M Windows Forest as a delegated OU you need to work with ITS to complete the following steps:

  1. Submit Application for a Delegated Organizational Unit in the U-M Windows Forest.

  2. Have Admin Accounts Assigned by ITS. 

    • Up to three administrative accounts can be assigned per department with naming of <departmentprefix>-ouadmin<#>, where the departmentprefix represents the department's Active Directory prefix and # is a number between 1 and 3.
    • Admin accounts will be added to the group for the departments OU admins named <departmentprefix>-ouadmins. This group will be assigned permissions to manage your delegated OU. Your ouadmin accounts will have permission to add other users to your ouadmin group.
       
    Example: its-ouadmin1, its-ouadmin2 created group its-ouadmins for admins of the ITS department space in Active Directory. 
     
  3. Organizations and Accounts OUs are created by ITS. Both of these OUs are in the UMICH branch of the root domains in the production and test forests:

    • Organizations\<Your OU> A new OU is created in the UMICH\Organizations branch of AD. The group <departmentprefix>-ouadmins has full rights over this OU, and you can use it for any purposes you want, including additional OUs, computers, servers, groups, group policy, etc.
    • Accounts\Your OU A second OU is created in the Central Accounts Delegated OU in the UMICH\Accounts branch of AD. This OU contains uniqname users you have requested to manage that have the ability to use Kerberos pass-thru authentication. The <departmentprefix>-ouadmins group has rights over some of the user attributes and full rights over Group Policy. You will not be able to add or delete any objects in this OU. If you want to move members into and out of this delegated OU, use the U-M Windows Central Accounts applications described in the Web Applications section. Just fill in the organizational information and the uniqnames you want to manage in the users section. Any users added to this OU are also added to the <departmentprefix>-all-users group that you can use for whatever you want.
       

    NOTE: Username Naming Conventions. Administrators can also create non-uniqname AD accounts in their Organizations OU. These accounts must be named so as not to conflict with any current or future uniqnames (which are 3-8 character alpha names). Prepending your OU department prefix (e.g., <departmentprefix>-uniqname), putting a dash in the name, or appending a number will work. For many of our administrative type accounts we find that appending a 1 to the uniqname works well. See the User Account Names section of the Naming Standards for the U-M Windows Forest page for more on naming standards for accounts.

  4. Provide a Bootstrap Computer. Within the newly created Organizations OU, the forest administrator needs to create a "bootstrap" computer and delegates the rights to join this computer to the <departmentprefix>-ouadmins group. Once this bootstrap computer is joined to the forest, it can be used to manage both delegated OUs. When you specify the account to join the computer to the forest, use the form <domain>\<account>. For example, UMROOT\its-ouadmin1.

    • The bootstrap computer can be any client or server running at least Windows 2000 SP3 or newer.
    • You should prefix the computer name with your W2K organizational prefix. Keep in mind that when moving from the W2K test forest to the production forest, the computer names must be different (i.e. the computers in the test forest must not have the same names as computers in the production forest.)
       
  5. Configure DNS: When joining your bootstrap computer to the UMROOT production forest, the Primary DNS suffix for this computer will automatically be set to adsroot.itcs.umich.edu and its DNS name will automatically be registered using Dynamic DNS. In the test forest, the DNS suffix will be adsroot.itd.umich.edu. When setting up this first computer and subsequent computers, set up the DNS client to access campus DNS servers at the following addresses:

    • 10.10.10.10
    • 10.10.5.5
  6. Configure WINS: WINS configuration will depend on if you are joining the production or test forest.

    • Production Forest:
      DNS Name: adsroot.itcs.umich.edu
      NetBIOS Name: UMROOT 
      Primary WINS server: 141.211.21.102    
      Secondary WINS server: 141.211.76.103

    • Test Forest:
      DNS Name: adsroot.itd.umich.edu 
      NetBIOS Name: ADSROOT
      Primary WINS server 198.111.226.73 
      Secondary WINS server 198.111.226.143

For more information on using Active Directory, see the How-To's page.

Last Updated: 
Monday, November 26, 2018