The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security" written by Derek Melber and Dave Kearns and available at Realtimepublishers.com. Click for the complete book excerpt series.
Two kinds of administrators
As you consider how the delegation and overall security will be handled within AD, consider that there are two primary kinds of administrators: data administrators and service administrators. Each type of administrator has a role within AD, but the roles are quite different. Let's take a look at each type of administrator to get a feel for what the options are as you implement your security plan.
Data administrators are responsible for maintaining data that is stored in AD. Here, the use of the term data might throw you off a bit. We are not talking about files and folders or typical database contents used to store company confidential information. Instead, we are referring to data that can be stored in AD. This includes user accounts, computer accounts, group accounts and so on. However, this is not the same as what you might be familiar with from an NT domain. In an NT domain, you have control over all user, group and computer accounts if you are in the Account Operators group. Instead, the focus of data administrators is on a subset of the domain objects. This subset delegation is accomplished by using the delegation of administration techniques that we have discussed and will explore in more detail in Chapter 4.
The computers that data administrators have control over must be domain members. This should encourage you to make all computers on the network members of the domain. If they are not members of the domain, they could easily become rogue computers that the data administrators don't have control over.
There are not data administrators created by default. There are some groups that could be considered data administrators groups, but these groups provide too broad of administrative privilege for most organizations. The process for creating these data administrators is to have the domain administrator create new user accounts and group accounts for these data administrators. The user accounts for data administrators should be different from the user accounts that are used for personal tasks such as checking email and writing memos. Once the data administrators' user accounts are placed into the data administrators groups, the administrators are ready to be given privileges to administer data in AD.
An important point is that data administrators don't create accounts for other data administrators; the data administrators are simply in charge of performing the administration work. We will see that the service administrators will be responsible for creating the groups for and managing the data administrators.
Once the data administrators groups are established, they should then be granted delegated administration over the subsets of data that is stored in AD. We have also reviewed how this is typically configured, which is at the OU level.
From an ROI position, the data administrator groups are important because they do not have to have the knowledge that the service administrators has. The data administrators only need to be responsible for the tasks that have been delegated to them, including managing user accounts, group accounts and computer accounts. The data administrators are not responsible for knowing how to add new domain controllers, ensure replication has occurred, or how to add a new site to AD.
Service administrators are responsible for more of the day-to-day tasks associated with managing and maintaining the AD infrastructure. They are also required to be more aware of the company security policy and procedures. The service administrators are responsible for more in-depth AD tasks than the data administrators are responsible for. Both the service administrators and data administrators are needed, but their job roles are significantly different.
The following list highlights tasks the tasks that the service administrators are responsible for:
- Install domain controllers -- As the number of users and locations grow, there will be a need to install new domain controllers and place them where they will make the most impact.
- Manage DNS -- As DNS is an integral part of AD, the service administrators is responsible for much of the management that is associated with DNS. This responsibility includes adding static records, performing backups and restorations, and troubleshooting any problems.
- Manage the Distributed File System (Dfs) -- With Dfs providing more features and stability in Win2K and later, more and more companies have implemented this service. One of the useful features of Dfs is that it can be integrated with AD, which requires the service administrators to be responsible for the management of all the links and replicas that are configured in Dfs.
- Manage Global Catalog (GC) servers -- The service administrators will be responsible for ensuring that all services and resources that rely on the GC have access to this service. With AD and Exchange relying heavily on the GC, management and availability of the GC servers is an important task.
- Manage the schema -- The schema is vital to AD. When it is modified, the service administrators will be responsible for knowing what is being modified, how it is being modified, and keeping it available before and after any changes.
- Ensure directory availability -- The service administrators are responsible for ensuring that AD is available at all times. This responsibility includes backups and restorations and disaster recovery. It also includes ensuring that AD is available for WAN links and remote access users. If AD is not available for the WAN and RAS users, GPOs and other key security settings might not be applied properly, leaving these client computers vulnerable to attack.
- Manage trusts -- Trusts in AD are automatic, so the internal trusts require little to no management. However, the trusts that go outside of the forest follow the old NT rules. These trusts require management for creation, removal, and troubleshooting if the trust fails. Because a trust can allow a user from an outside domain access to an internal resource, trusts must be managed by the service administrators who are trained on what the vulnerabilities might be.
- Manage sites -- Site management is not a day-to-day task, but it does fall into the scope of responsibility of the service administrators. Sites need to be managed if a new domain controller was brought into the domain, replication needed to be modified, new subnets were added, or a domain controller was being taken offline.
With all of these responsibilities, the service administrators will need to be a member of the AD deployment team. The service administrators will need to be well trained and skilled at all aspects of AD, even the tasks that the data administrators are responsible for. The service administrators will need to have a clear understanding of how security fits into the overall AD structure so that when any changes are made to AD, the security policies are maintained.
The service administrators will also need to have a complete understanding of GPOs. In many cases, the service administrators will be responsible for creating, linking, and/or maintaining the GPOs for the domains in the forest. Often, the security policy is implemented through GPOs. The service administrators will need to understand how the GPOs enforce security to user and computer accounts, including every nuance of security deployment to domain controllers, servers and client computers, as well as IT staff, executives and employees.
With the service administrators having broad, deep, and almighty powers in AD, these users must have a higher level of clearance than the data administrators or the typical employees have. A rogue service administrator can bring down a company, causing loss of data and income. All service administrators must have the highest level of trust with management. It is a good practice to have regular audits on the service administrators to ensure that they are performing their tasks properly and with the company's best interests in mind.
The number of service administrators should be limited, with the scope and power that they bring. The fewer service administrators you have controlling AD, the better. There should, however, be more than one service administrator, as one service administrator does not enable the environment of accountability that is required to maintain a secure AD.
It should be clear now what each type of administrator is responsible for. Data administrators keep tabs on the objects within AD, making sure users can log on, groups have the correct members, and computers are located in the correct OU. Service administrators work at a little bit higher level, making sure that AD is stable, available, and all services that work with AD are managed properly.
There can be an overlap between these two types of administrators if the company structure and plans allow for it. However, this overlap is only a one-way overlap. The one-way direction is on the side of the service administrators. A service administrator can perform the duties of a data administrator, but the data administrators can't perform the duties of a service administrator.
The service administrators are responsible for creating the data administrators' user and group accounts. The service administrators must then manage these accounts to ensure that the data administrators have the correct privilege and access to AD. This separation of duties is more important than just who can do what. From a company security standpoint, it is important to separate tasks so that one administrator does not have too much privilege.
Click for the next excerpt in this series: Best practices for delegating control in AD.
Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.