This document is intended for IT Professionals in the UF College of Liberal Arts & Sciences who may require additional information regarding our migration to Active Directory. At the moment, this is a stub, and will be expanded upon as people ask questions.
UFAD uses Biztalk and other tools to "automatically" perform multiple administrative tasks on our behalf. The source of the information used is the same group of databases that PeopleSoft uses. These processes define gloabal groups (GGs), place user objects into various organizational units (OUs), set/check Exchange mailbox quotas, etc.
Importance of the NMB for users
The Networked Managed By (NMB) relationship in PeopleSoft is used exclusively by Active Directory. UFAD servers run a script every 15 minutes that checks the NMB field, and moves the user's object to the "correct" unit's OU accordingly. Thus, we can be granted administrative access to that OU tree (and all the user objects within it) without having to be given access to other unit's personnel. For example, user "albert" is related via the NMB to org code 1640000. As a result, this user's DistingishedName (DN) will be in:
CN=albert,OU=LS-CLAS COMPUTING,OU=LS-DEANS OFFICE,OU=COLLEGE-LIBERAL ARTS-SCIENCES,OU=PROVOST,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
Once we have such administrative rights over the user object, we can set Active Directory attributes, such as their Exchange mail server and mail store, the location of their Home Directory, their profile directory (if applicable), and assign any Group Policies (GPOs) which would apply no matter which computer they used on campus, as long as it was on AD.
Delegation of OU administration
For IT staff, we assign the requisite subset of administrative rights to a AD global group (GG). Each IT staff member will receive their own service account, which is a member of the proper GG to match their roles. We can then assign these service accounts rights to individual OUs within the AD tree, which will allow adminstrative access to computers, printers, and other types of AD objects.
Not all service accounts will have rights to add/delete computer accounts. Most will only be able to join a computer to UFAD using an existing computer account. Since we create a computer account when a computer is registered to our DHCP table, this should not pose an undue burden. When a computer is transferred from one unit to another, we'll need to move it's AD object to the new OU to match its new role.
Whenever possible, modifications for computers will be applied via GPOS that are applied to the OU containing the computer in question. We are trying to avoid inheriting too many GPOs from upper-level containers, and at the same time using the OU-level GPOs to document these modifications.
Adding a Gatorlink IMAP account to Outlook
Some people have been forwarding their unit email address to their Gatorlink IMAP mailboxes. To prevent these messages from being "orphaned", you need to add the IMAP account to Outlook temporarily, then transfer the messages. To simplify this, as the user, close all Office applications (Outlook, Word, Excel, etc), then run:
"C:\Program Files\Microsoft Office\Office12\outlook.exe"
/promptimportprf "\\ad.ufl.edu\clas\apps\CLASnet Scripts\GatorlinkProfile.PRF"
After you've migrated the messages, we recommend go into the
Mail Control Panel, and '
Distributed File System & Server Names
Rather than provide users the individual server names, we're using the Windows Distributed File System (DFS) service to provide a networked-based 'auto-mounter' for all of the various filesystems. Any modern version of MS-Windows has support for DFS, but there's still no support for MacOS as of 10.5. There are third-party DFS clients, but they're not free. If you are charged with managing Macintosh systems and you need to access the CLASnet servers (for home, web, and share volumes), you may need the following server/share information:
| \\ad.ufl.edu\clas\share | \\ls-file01.ad.ufl.edu\share |
| \\ad.ufl.edu\clas\home\[abc] | \\ls-file02.ad.ufl.edu\home0\[abc] |
| \\ad.ufl.edu\clas\home\[d-i] | \\ls-file02.ad.ufl.edu\home1\[d-i] |
| \\ad.ufl.edu\clas\home\[jkl] | \\ls-file03.ad.ufl.edu\home2\[jkl] |
| \\ad.ufl.edu\clas\home\[m-r] | \\ls-file02.ad.ufl.edu\home3\[m-r] |
| \\ad.ufl.edu\clas\home\[s-z] | \\ls-file03.ad.ufl.edu\home4\[s-z] |
| \\ad.ufl.edu\clas\web | \\samba.clas.ufl.edu\web |
