U-M Windows Forest
How-To Documents
Get Help

Frequently Asked Questions About the U-M Windows Forest

Show All Answers

Should I join the forest as a separate domain or join the UMROOT domain as an OU?

While admins of Windows NT domains often assume that in order to fully manage their environment they need to participate in the forest as a domain, with the advent of Active Directory (introduced with Windows 2000) this is rarely true. For an understanding of the development of the UMROOT forest at the University of Michigan and how these perceptions have evolved, see History of the Design of the U-M Windows Forest.

How do I join the U-M Windows forest?

See the How To section for further details on procedures used to join the forest.

How should I proceed with bringing my department into the Windows/Active Directory world?

Start with some background reading on Windows and Active Directory. The Help page lists a number of useful links to Windows related topics. After you have an idea of your goals for Windows and Active Directory, contact the ITS Service Center to set up a meeting to discuss your needs and answer your questions. You will then want to round up some test computers, and join the U-M Windows test forest to get some real hands-on experience running Windows/Active Directory. After you're satisfied that the Windows environment will meet your goals, you can join the U-M Windows production forest.

What is the University of Michigan's licensing agreement with Microsoft for Windows?

The University of Michigan has reached a licensing agreement with Microsoft that includes Windows and other Microsoft products. For details on this agreement, see the Microsoft Campus Agreement at the University of Michigan web page.

How will the Windows DNS namespace affect my IP services?

See the DNS page for a discussion of Windows DNS-related issues.

How will the Microsoft Kerberos implementation affect my access to non-Microsoft Kerberos services?

The current MIT "Kerberos for Windows" distribution, containing both 32-bit K4 and K5 functionality, is compatible with Windows. Leveraging this compatibility, many Windows resources can be accessed via pass-through authentication using UMICH.EDU Kerberos credentials. For example, access to Campus Computing Sites is managed in this way. Because of this interaction, access to many Kerberos-protected services on campus can be obtained via Single Sign-On. See Windows Active Directory Kerberos Interoperability for more information.

Will department systems administrators be able to add new accounts to their department OU without going through a central source?

Yes, but naming standards must be adhered to. See Naming Standards for the Windows forest for these standards.

Will department systems administrators be able to manage the accounts, particularly faculty and staff accounts that belong to their department?

Department systems administrations will have full control over accounts that they create.

Will faculty and staff accounts be moved from the central synchronization point to departmental OUs?

Campus units can manage centrally provisioned user accounts through the Central Accounts Service. See U-M Windows Central Accounts Service for more information about this service.

Will department systems administrators be able to easily assign local resources to central accounts?

Absolutely. This is exactly how the Michigan Active Directory has been designed. Department systems administrators will operate servers that provide services to their users (and anyone else on campus that they choose). By joining the Michigan Active Directory forest, users can be easily given access to these services.