After joining Active Directory (UMROOT) as a Delegated Organizational Unit, follow the directions in this document to configure your new Active Directory environment.
- Before You Begin: Join Active Directory as a Delegated OU
- The Bootstrap Computer
- Join the Bootstrap Computer to the Domain
- Administrator Configuration
- Install Active Directory Tools
- Start Managing Active Directory
The first step for units wishing to use Active Directory (UMROOT) to manage their systems is to join as a Delegated Organizational Unit (OU):
- Instructions: Joining the Active Directory (UMROOT) Forest as a Delegated Organizational Unit (OU)
- Request Form: Application for a Delegated Organizational Unit in the U-M Windows Forest
The bootstrap computer is specified in your request for an OU above and should follow the naming convention DEPT-ANYTHING. It needs to be joined to the domain and configured to access and administer Active Directory (AD) before you can add computers and servers or manage users, groups, and other objects in AD. The bootstrap computer can be any Windows workstation or server.
- Active Directory Management Server
This server can contain all the AD Management tools you need to manage your environment. All your administrators can then access this server with their OU Admin credentials using Remote Desktop, so they don't need to install them on all their desktops.
Note: Only two admins can connect to Remote Desktop at a time unless you install Terminal Services.
- File Server or Application Server
In a single-server or multiple-server environment, you can run your applications on this same server or servers.
If you choose to install your AD tools on a workstation(s), there are a couple of things to keep in mind:
- Do not log on to your workstation as an OU Admin. This is insecure.
- Log on instead as a regular user and then use the Run As function to launch the necessary tools.
Once you have installed AD tools on any other computer in your OU, the bootstrap computer is no longer important and can be kept or deleted as you choose. You can administer AD from servers, workstations, or both.
- Go to Control Panel > System > Computer Name. Select the Change button.
- Make sure the computer name exactly matches your bootstrap computer name.
Note: If you need to change the computer name, make this change and reboot before proceeding.
- Test that you can ping the domain adsroot.itcs.umich.edu.
- Select the Member of domain radio button and enter:
- When prompted, enter your OU Admin username and password with the following format:
where N=1,2,3 etc., and dept is your assigned department/unit prefix.
- You should see a Welcome to the UMROOT Domain message.
- From the Log on to dropdown menu, select DEPT-ANYTHING (this computer) and log on as Administrator. Use the local Administrator account you created when installing the computer OS, not your OU Admin account.
- From the Start menu, select Administrative Tools > Computer Management.
- Select Local Users and Groups
- Select Groups
- Select Administrators
- Select Add...
- Enter your OU Admins group, umroot\dept-ouadmins and select Check Names Exit Computer Management.
- Log off.
- From the Log on to dropdown menu, select UMROOT and log on with your OU Admin account, umroot\dept-ouadminN. You will now be logged on to the server as a Local Administrator and to the domain as your department/unit OU Admin.
Installation of tools and utilities depends on your version of the operating system. Older server operating systems and all client systems require you to download and install the software. Newer servers allow you to install the tools without downloading them using Add Features then installing the Remote Server Administration Tools.
- Install the Active Directory Administration Tools, Remote Server Administration Tools, or the AD DS Snap-Ins for your operating system.
- Optional: Install the Group Policy Management Console.
- From the Start menu, select Administrative Tools > Active Directory Users and Computers.
- Navigate to UMICH > Organizations > Your_OU.
- Create top level OUs for:
- Optional: You can now drag your bootstrap computer to the correct OU. You can browse other departments' OUs for examples of how others have set things up.