Several Windows/Active Directory (AD) forests are currently in use at U-M. The largest and most inclusive of these is sponsored and centrally administered by Information and Technology Services (ITS). This web site describes this Windows/AD forest. For brevity, references to the "U-M Windows Forest"—or to the "UMROOT Forest"—will refer to the U-M ITS Windows Forest.
The U-M Windows Forest is a university-wide collection of domains that are connected by trust relationships and share a common store of information, the Active Directory. Each Windows domain maintains a separate namespace, yet resources can be shared throughout the forest because of the trust relationships connecting the domains.
Data Source. Active Directory receives its data from MCommunity. MCommunity data is used for provisioning and de-provisioning accounts. For details, see MCommunity Data Connection to UMROOT Active Directory.
The hub of activity in the U-M Forest is in the UMROOT domain. This is where users are created and both central and local units place their Active Directory (AD) objects for using the Windows infrastructure. Active Directory Design of the UMROOT Domain describes how this domain is organized and how the departments at U-M use this resource.
Kerberos is integral to the security of Active Directory. At U-M, we deploy pass-through authentication to the campus MIT Kerberos realm, providing easy access to campus resources using known credentials. For a description of this integration, see Windows Active Directory Kerberos Interoperability.
Individuals may request access to UMROOT logs. It is important for both requestor and administrator to be aware of the Guidelines for Releasing Security Logs Information.
The UMROOT Forest provides the basis for the use of various Windows and Active Directory resources at the University of Michigan. In some cases, this is provided in the forest for general use. In others, the infrastructure to use these capabilities exists in the forest and campus units wishing to take advantage of it may do so by providing their own service. Information on these resources are provided at the UMROOT Forest Resources page.
In a large distributed infrastructure such as this, naming standards are critical to keeping it all straight. If you are planning to participate in the U-M Windows environment, Naming Standards for the U-M Windows Forest is a must read for you.
All computer systems require maintenance. For information on the maintenance and notification policies at the University of Michigan, see Maintenance Policy for the U-M Windows Forest.
ITS maintains a test forest for use by the campus community. For information about the test forest, see U-M Windows Test Forest.
The U-M Windows Forest began in July 2000. The forest design has evolved over the years as it adapted to changing requirements of the units at U-M and as best practices for a Windows/Active Directory environment solidified. For a history of the forest design, explaining why we did what we did, see History of the Design of the U-M Windows Forest (a.k.a. History/Design). For a presentation given by Dave Detlefs to the Common Solutions Group in May, 2000 outlining the plans for the forest, see Windows 2000 Planning at the University of Michigan.