Setting Up Your Active Directory Environment

After joining Active Directory (UMROOT) as a Delegated Organizational Unit, follow the directions in this document to configure your new Active Directory environment.

Contents:

Before You Begin: Join Active Directory as a Delegated OU

The first step for units wishing to use Active Directory (UMROOT) to manage their systems is to join as a Delegated Organizational Unit (OU):

The Bootstrap Computer

The bootstrap computer is specified in your request for an OU above and should follow the naming convention DEPT-ANYTHING. It needs to be joined to the domain and configured to access and administer Active Directory (AD) before you can add computers and servers or manage users, groups, and other objects in AD. The bootstrap computer can be any Windows workstation or server.

  • Active Directory Management Server
    This server can contain all the AD Management tools you need to manage your environment. All your administrators can then access this server with their OU Admin credentials using Remote Desktop, so they don't need to install them on all their desktops.
    Note: Only two admins can connect to Remote Desktop at a time unless you install Terminal Services.

  • File Server or Application Server
    In a single-server or multiple-server environment, you can run your applications on this same server or servers.

If you choose to install your AD tools on a workstation(s), there are a couple of things to keep in mind:

  • Do not log on to your workstation as an OU Admin. This is insecure.

  • Log on instead as a regular user and then use the Run As function to launch the necessary tools.

Once you have installed AD tools on any other computer in your OU, the bootstrap computer is no longer important and can be kept or deleted as you choose. You can administer AD from servers, workstations, or both.

Join the Bootstrap Computer to the Domain

  1. Go to Control Panel > System > Computer Name. Select the Change button.

  2. Make sure the computer name exactly matches your bootstrap computer name.
    Note: If you need to change the computer name, make this change and reboot before proceeding.

  3. Test that you can ping the domain adsroot.itcs.umich.edu.

  4. Select the Member of domain radio button and enter:
    adsroot.itcs.umich.edu

  5. When prompted, enter your OU Admin username and password with the following format:
    umroot\dept-ouadminN
    where N=1,2,3 etc., and dept is your assigned department/unit prefix.

  6. You should see a Welcome to the UMROOT Domain message.

  7. Reboot.

Administrator Configuration

  1. From the Log on to dropdown menu, select DEPT-ANYTHING (this computer) and log on as Administrator. Use the local Administrator account you created when installing the computer OS, not your OU Admin account.

  2. From the Start menu, select Administrative Tools > Computer Management

    • Select Local Users and Groups

    • Select Groups

    • Select Administrators

    • Select Add... 

    • Enter your OU Admins group, umroot\dept-ouadmins and select Check Names Exit Computer Management.

  3. Log off.

  4. From the Log on to dropdown menu, select UMROOT and log on with your OU Admin accountumroot\dept-ouadminN. You will now be logged on to the server as a Local Administrator and to the domain as your department/unit OU Admin.

Install Active Directory Tools

Installation of tools and utilities depends on your version of the operating system. Older server operating systems and all client systems require you to download and install the software. Newer servers allow you to install the tools without downloading them using Add Features then installing the Remote Server Administration Tools.

  1. Install the Active Directory Administration Tools, Remote Server Administration Tools, or the AD DS Snap-Ins for your operating system.

  2. Optional: Install the Group Policy Management Console.

Start Managing Active Directory

  1. From the Start menu, select Administrative Tools > Active Directory Users and Computers.

  2. Navigate to UMICH > Organizations > Your_OU.

  3. Create top level OUs for:

    • Users

    • Groups

    • Servers

    • Computers

  4. Optional: You can now drag your bootstrap computer to the correct OU. You can browse other departments' OUs for examples of how others have set things up.

Last Updated: 
Wednesday, February 13, 2019