Useful Links:

• Yale AD Home

• How Yale integrated dynamic and static DNS

Yale's previous Windows NT-based environment was built around a Windows NT "master domain model" structure.  The "master" domain, administered by ITS Systems & Production Services (SPS) held all user accounts but limited supplemental information about each user (group membership, etc.)

Many other NT domains, mostly administered by non-ITS staff, existed throughout Yale with one-way trust relationships to the central domain and thus used its account base to control access to local resources.

The total number of NT 4 domains in operation at Yale hit a peak of approximately 50 but the overall system was quite reliable and worked well.

Why Yale implement an Active Directory at Yale?

With Windows 2000, Microsoft introduced a new administrative model called the Active Directory (AD), which is in essence a fully distributed database system that serves as the repository for authentication and authorization data for an enterprise.  It is implemented in a hierarchical set of domains that replicate information between each other to provide a consistent data set as well as distributing authentication loads.

However, in order to take full advantage of the Active Directory, component systems and their responsible administrators must cooperate much more closely than they have in the past because there is a higher level of interdependence among systems that participate in it... and groups of systems that are not part of the same AD structure have difficulty communicating with one another.  For example, if theoretical physics established an AD structure and high-energy physics established another, a person with need to access resources in both areas would have difficulty.

User adoption of Windows 2000 on the desktop has been good.  Use of Windows 2000 as a server platform was deferred until the Active Directory "issue" was resolved but now that the AD is in operation, many areas are looking at using it to deliver more advanced services.

Clearly, it was in Yale's best interest to establish some kind of unified structure with well-developed support for individual IT groups to manage their own systems so that the University can continue to easily support a single sign-on process for access to all Yale resources in a similar way to what we have now with Windows NT.  The risk of not establishing a well thought-out central structure was that many individual areas will implement the AD on their own and create a constellation of domains and forests that will be impossible to integrate when the need arises.

Origins of the Model

During 2000, significant work was done by ITS to develop and test a proposed plan for introducing an Active Directory structure at Yale and some documentation was developed based on that work.  However, a need was recognized for some source that could provide authoritative answers on some difficult issues that were encountered.

In the fall of 2000, Yale was approached by Dell Computer and Microsoft with a joint offer to help us plan and deploy Windows 2000 and the Active Directory.  Specifically, Microsoft would provide some time with one of their consultants for planning and documentation purposes and Dell would assist with server hardware to help implement whatever plan was developed through the consultant's work.

Weekly meetings with the Microsoft consultant began during the first week of the new year and lasted until April.  Representatives were invited from many areas of the university and attendees came not only from within ITS, but from Medicine, Law, Management, Library systems, Forestry, and a few other areas.

The content of the meetings followed a program that Microsoft Consulting offers called "QuickStart" which is designed to get an organization up and running with the AD in an accelerated fashion by having an experienced consultant assist with planning, provide knowledge transfer on critical topics and deliver a report documenting the implementation plan that results from the discussions.

A four-page executive summary (4 pages, MS Word format) of the consultant's final report is available for non-Yale people to read.  If you are a Yale person and would like to see the full report, please send email.  Note that the full report may not be propagated outside of the university.  

The operating model documented in the consultant's report and, distilled, on these web pages is the result of consensus reached by those attending the meetings with the Microsoft consultant and his recommendations on how we should proceed.

Major Elements of the Model

The model for the Active Directory at Yale has the following major elements:

• A single "forest".  A top-level "empty root" domain named yale.edu will be established to provide a high-security point for replication and topology control of the forest.  This domain will have no general user or machine accounts in it and will not be accessed directly by most users.

• Below the root, a "management" domain (named yu.yale.edu) was established by directly upgrading a server in the pre-existing YALE NT 4 domain to Windows 2000.  This preserved user and group affiliations and allows for existing Windows NT 4 domains to continue to function normally for the indefinite future.

• Migration Path for existing NT 4 domains: The preferred migration path for existing NT domains is that they will become Organizational Units (OU's) in the management domain when they upgrade to Windows 2000.  Complete administrative authority over the OU will be delegated back to the appropriate IT staff so they retain full authority over their systems and are able to administer them as they see fit.  Client systems in the former NT 4 domain will join the yu.yale.edu domain.  DC's for the NT domain would be upgraded to Windows 2000 and become member servers (not domain controllers) within the appropriate OU.

  
   [ For more discussion of the technical specifics of the model, supported variations and various scenarios, click on the links on the left side of this page. ]

Note that this was not a forced migration.  The intent is to build a structure that will support whatever use it is put to but no specific "rollout" date exists.  The decision on when to move to this structure will be up to each individual IT group at Yale.  ITS staff is available to provide guidance on the upgrade process.