U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Help
Contact Us
U-M Windows Forest Main

U-M Windows Central Accounts Service

Joining the U-M Windows Forest as a Delegated Organizational Unit

  1. Submit Request
    Fill out the Application for a Delegated Organizational Unit in the U-M Windows Forest.

  2. Admin Accounts Assigned
    Up to three administrative accounts named
    <departmentprefix>-ouadmin<#>
    (where # is a number between 1 and 3—e.g., its-ouadmin1)
    will be created and added to a group named
    <departmentprefix>-ouadmins.

    This group will be assigned permissions to manage your delegated OU. Your ouadmin accounts will have permission to add other users to your ouadmin group.

  3. Organizations and Accounts OUs
    ITS will create two delegated OUs: one in the Organizations OU and another in the Accounts OU. Both of these OUs are in the UMICH branch of the root domains in the production and test forests.

    Organizations\Your OU
    The first OU is the standard delegated OU in the Umich\Organizations branch of AD. The group <departmentprefix>-ouadmins has full rights over this OU and you can use it for any purposes you want, including additional OUs, computers, servers, groups, Group Policy, etc.

    Username Naming Conventions
    Administrators can also create non-uniqname AD accounts in their Organizations OU. These accounts must be named so as not to conflict with any current or future uniqnames (which are 3-8 character alpha names). Prepending your OU department prefix (e.g., <departmentprefix>-uniqname), putting a dash in the name, or appending a number will work. For many of our administrative type accounts we find that appending a 1 to the uniqname works well.

    Accounts\Your OU
    The second OU is the Central Accounts Delegated OU in the Umich\Accounts branch of AD. This OU contains uniqname users you have requested to manage that have the ability to use Kerberos pass-thru authentication. The <departmentprefix>-ouadmins group has rights over some of the user attributes and full rights over Group Policy. You will not be able to add or delete any objects in this OU.

    If you want to move members into and out of this delegated OU, use the U-M Windows Central Accounts applications described in the Web Applications section. Just fill in the organizational information and the uniqnames you want to manage in the users section. Any users added to this OU are also added to the <departmentprefix>-all-users group that you can use for whatever you want.

  4. Bootstrap Computer
    Within the newly created Organizations OU, the forest administrator needs to create a "bootstrap" computer and delegates the rights to join this computer to the <departmentprefix>-ouadmins group. Once this bootstrap computer is joined to the forest, it can be used to manage both delegated OUs. When you specify the account to join the computer to the forest, use the form <domain>\<account>. For example, UMROOT\itcs-ouadmin1. The bootstrap computer can be any client or server running at least Windows 2000 SP3, Windows XP SP1 or newer.

    If you use a Windows XP computer, you may have to change the following setting before joining the forest because of the increased security settings we have implemented. Failure to make this change could result in not being able to join the computer to the forest.

    1. Go to Start > Programs > Administrative Tools > Local Security Policy.

    2. In the Security Option section, you must edit the Network Security: LAN Manager Authentication Level. Change the setting to "Send NTLMv2 response only/Refuse LM & NTLM".

    Naming Conventions
    When naming computers, you should prefix the computer name with your W2k organizational prefix. Keep in mind that when moving from the W2k test forest to the production forest, the computer names must be different (i.e. the computers in the test forest must not have the same names as computers in the production forest.)

    DNS
    When joining your computer to the UMROOT production forest, the Primary DNS suffix for this computer will automatically be set to adsroot.itcs.umich.edu and its DNS name will automatically be registered using Dynamic DNS. In the test forest, the DNS suffix will be adsroot.itd.umich.edu.

    When setting up this first computer and subsequent computers, set up the DNS client to access campus DNS servers at the following addresses:

    141.211.125.17
    141.211.144.17

    WINS

    Production Forest:
    DNS Name: adsroot.itcs.umich.edu
    NetBIOS Name: UMROOT
    WINS servers:

    • 141.211.76.103
    • 141.211.21.102

    Test Forest:
    DNS Name: adsroot.itd.umich.edu
    NetBIOS Name: ADSROOT
    Primary WINS server 198.111.226.73
    Secondary WINS server 198.111.226.143

  5. Administering Active Directory
    For more information on using Active Directory, see the How-To's page.