Note
This post originally appeared on my MSDN blog:
Since
I no longer work for Microsoft, I have copied it here in case that blog
ever goes away.
In a previous post, I provided some details on the
"Jameson Datacenter", which is really just my home lab that I use for learning
new technologies and improving my skills, as well as actually completing my day-to-day
tasks on various customer projects (whenever I am actually able to work from home
instead of using my laptop at a customer site).
In this post, I want to share details about how I've configured my Active Directory
domain, namely corp.technologytoolbox.com.
Note
Technology Toolbox is just a name I came up with about ten years ago before joining
Microsoft. At the time, I was considering starting my own company and therefore
went looking for an available domain name. (I would have preferred techtoolbox.com,
but that was already taken.) [Don't bother trying to browse to
https://www.technologytoolbox.com because, honestly, I haven't yet invested
the time in actually creating the Web site -- even after almost ten years.]
As you can see in the following figure, I've created a number of organizational
units (OUs) which you would typically find in many enterprise organizations.
Figure 1: Jameson Datacenter - Active Directory domain structure
Note that I didn't really come up with this structure myself (except for the
Admin Accounts OU, which I believe was an
"original idea" of mine -- but honestly it's been so long that I can
hardly remember). Most of this is based on the prescriptive guidance from TechNet.
You can find the latest version of this guidance in the
AD DS (Active Directory Domain Services) Design Guide. [I tried to find
the original reference material that I used, but I gave up looking for it on TechNet
this morning after about 5 minutes.]
As you can see, I created OUs to model organizations such as the Development
group, the IT group, and the Sales organization.
The following table summarizes the various OUs in the domain:
Organizational Units in the corp.technologytoolbox.com Domain
|
Organizational Unit
|
Description
|
|
Development
|
Represents the "Development" group within Technology Toolbox (which really just
means me, since my wife doesn't do any development and my 3-1/2 year old daughter
isn't quite ready for .NET yet)
|
|
Development/Groups
|
Contains the groups within the Development organization (such as TECHTOOLBOX\All
Developers and TECHTOOLBOX\Development Admins). Delegated
administration is used to allow developers to create and manage their own groups.
|
|
Development/Resources
|
Container for various resource OUs
|
|
Development/Resources/Servers
|
Contains servers for the Development environment (e.g. DOGFOOD,
FOOBAR, and FOOBAR2)
|
|
Development/Resources/Workstations
|
Contains individual developer workstations (e.g. NIGHTCRAWLER and
WOLVERINE).
|
|
Development/Service Accounts
|
Contains service accounts for the Development environment (e.g. Service account
for SQL Server (DEV) -- TECHTOOLBOX\svc-sql-dev)
|
|
Development/Users
|
Contains user accounts for each person in the Development organization (e.g.
TECHTOOLBOX\jjameson)
|
|
IT
|
Represents the corporate "IT" group (which is really just my alter ego -- TECHTOOLBOX\jjameson-admin)
that assumes all responsibility for managing the "Production" environment at Technology
Toolbox
|
|
IT/Admin Accounts
|
Contains all user accounts that are members of the Domain Admins
group. Note that all of these accounts are suffixed with "-admin" in order to easily
distinguish them, as well as provide alternate "elevated privilege" accounts (e.g.
TECHTOOLBOX\jjameson-admin) corresponding to low-privilege accounts
(e.g. TECHTOOLBOX\jjameson)
|
|
IT/Groups
|
Contains the groups specific to the IT organization.
|
|
IT/Resources
|
Container for various resource OUs
|
|
IT/Resources/Servers
|
Contains servers for the "Test" and "Production" environments. Currently this include
BANSHEE, BEAST, COLOSSUS,
CYCLOPS, DAZZLER, ICEMAN, JUBILEE,
and ROGUE.
|
|
IT/Resources/Workstations
|
Contains individual workstations for the IT organization. This OU is currently empty.
|
|
IT/Service Accounts
|
Contains service accounts for the "Test" and "Production" environments (e.g.
Service account for SQL Server (TEST) -- TECHTOOLBOX\svc-sql-test and
Service account for SQL Server -- TECHTOOLBOX\svc-sql)
|
|
IT/Users
|
Contains user accounts for each person in the IT organization. This OU is currently
empty.
|
|
Sales
|
Represents the Sales organization within Technology Toolbox. I created this OU primarily
for testing (for example, to verify whether I've configured the permissions correctly
on a SharePoint site).
|
Note
The Sales OU contains similar OUs as Development.
These are simply not shown in the previous table.
Note that this domain structure, I'm able to use the Group Policy feature of Active
Directory to "effortlessly" configure new servers.
For example, this morning I created a new development VM (FOOBAR3) from a
SysPrep'ed VHD file. After joining the new VM to the domain, I then moved
FOOBAR3 to the Development/Resources/Servers OU. After the VM rebooted
(which is required when you join a domain), it was automatically configured with
numerous settings, including Windows Update (i.e. to update from my WSUS server
-- COLOSSUS) and also to grant the TECHTOOLBOX\Development Admins
group administrative access (of which TECHTOOLBOX\jjameson is a
member). I was then able to quickly log in with my regular account and start installing
SQL Server 2008 (which finished before I actually completed this post). Now it's
time to install Visual Studio 2008...
I'll cover my group policy configuration in a separate post.