The following sections contain scenarios in which a centralized management deployment offers solutions to common hosting problems.
Manage Computers in Active Directory
In this scenario, centralized management simplifies operations and enables simple and consistent application of security policies.
Sam is an administrator at fabrikam.com, a service provider offering shared and dedicated services to small and medium businesses and to individual users.
Today, fabrikam.com has no centralized management concept in place for any of its offerings. Instead, the company uses individual administrative accounts to access every server in system, to run updates manually or using scheduled Windows Update to update the computers. Customer user accounts must remain synchronized in multiple locations to ensure access to the various services fabrikam.com offers. This is particularly labor-intensive when all servers need to be updated or reconfigured; in this case, the administrator has to log on to each and every computer and make the changes locally.
To cut down the time, effort, and cost of the administration the CIO of fabrikam.com asks Sam to create a centralized management concept for their operation.
Sam looks at the solution and decides to implement centralized management. This enables fabrikam.com to use Active Directory directory service to manage all its customer computer accounts centrally through Active Directory; each customer server is placed into an OU in Active Directory. Sam has defined a Group Policy Object (GPO) for each of the different server classes and assigned this GPO as a link to the OU in which the computer account resides. In each case, the GPO controls the Baseline Security Configuration for the server.
The customer user and group accounts continue to be managed as local users on the customer server. To perform management tasks on multiple computers from one central location Sam has added his administrative domain account to the local administrators group on the customer server using the GPO; this ensures that the customer cannot modify the administrators group (it will always be reset by the GPO).
In addition to GPO and configuration management, Sam uses Active Directory to configure Windows Update and the Microsoft Software Update Service, the use of each depending on the service level agreement (SLA) the customer has, and on the centralized managed configuration for services, file system, and registry permissions.
Furthermore, Sam enables self-service administration for the customer administrators through the use of a locally installed control panel application. This application enables the customer to manage user and group accounts and his service settings using a simple Web interface.
On the shared service side, Sam manages all shared servers in one common OU and applies the same GPO to all of them. Customer user and group accounts are located on the shared servers and the customers are able to manage their user accounts using a Web-based control panel.
The benefit of doing this is consistent policy configuration, single logon used for all admin tasks, reduction in overall Admin burden and cost.
Migrate Servers to a Centrally Managed Infrastructure
The benefits of centralized management can be brought to existing, locally managed, and non-Active Directory deployments.
Today fabrikam.com has Active Directory in place for some of its customers and servers but also has many locally managed computers.
To reduce the operating costs and increase the manageability of their systems, fabrikam.com decides to migrate all locally managed computers and customers into their existing Active Directory forest.
Sam, the administrator at fabrikam.com, plans to use the approach outlined in the .
Sam starts by joining his customers' servers to the Active Directory domain and moving them to the appropriate OU. The OU has a GPO link assigned to it that sets the same configuration as was set locally before the move. Once verified that all customer Web sites are working as expected Sam start locking down the servers to the standards defined in the fabrikam.com security guidelines.
The benefit of doing this is consistent policy configuration, single logon used for all admin tasks, and reduction in overall administration burden and cost. In addition, Sam gains the ability to distribute updates and configure services and permissions from one central location without the need to log on to each server. Further, the integration of the servers with Active Directory opens the possibility to manage user accounts centrally, which reduces the administrative burden of managing multiple accounts across services.
Manage Users in Active Directory
Resellers can manage all their users across servers, while remaining isolated from other resellers in the service providers' Active Directory configuration
Bill is a reseller administrator at contoso.com, a customer of fabrikam.com, who purchased multiple dedicated servers. contoso.com offers shared services to small businesses and individual users.
Today Bill manages all his customer user accounts as local users on the servers that host a specific customer's service. This means a lot of administration to manage the customers. It also makes it very hard for Bill to move a customer from one server to another without potentially breaking the customer's service. This administrative burden reduces Bill's ability to grow his business effectively.
Lately fabrikam.com, Bill's service provider, implemented Active Directory for server management. As a next step fabrikam.com now offers centralized user management for the resellers.
This helps Bill to manage his customer's user and group accounts in Active Directory. To ensure the isolation of the contoso.com reseller accounts Sam, the administrator of fabrikam.com, has set up a dedicated OU for contoso.com and set the permissions according to the recommendations in the . Sam has also defined a GPO for the contoso.com servers and assigned this GPO to the OU in which these servers reside. The GPO controls the Baseline Security Configuration for the servers.
contoso.com administers its entire customer user and group accounts using the same control panel software fabrikam.com uses. contoso's customers have access to their users using a custom created Web application; this application ensures the integrity of the managed objects in Active Directory.
The benefit of doing this is consistent policy configuration, single logon used for all administrative tasks, and a reduction in overall administration burden and cost. The new configuration also makes it easy to move sites across servers because the end customer's identity does not change.
Migrate Users to the Centrally Managed Infrastructure Using Migratetocm.wsf
An infrastructure comprising more than ten locally managed servers benefits from migration to centralized management
To effectively enable user management in a centrally managed fashion it is necessary to migrate the user and group accounts currently managed in the local SAM of each server to Active Directory. The solution provides detailed information on how to plan and deploy a migration to centralized management.
The benefits of such a migration are the reduction in administrative costs across multiple servers, and increased portability of services across servers in the domain and forest.
This scenario comes with the additional cost in hardware for the domain controllers and the associated operations cost for the Active Directory, so it will only make sense in an environment with more than ten servers.
Coexistence and Integration of Existing Domains into a Centrally Managed Platform
Integrated domains bring the benefits of one-stop management for customers with diverse hosting implementations.
Besides its shared and dedicated offerings fabrikam.com also hosts several collocation and highly-managed customers. Up-to-date fabrikam uses dedicated credentials in every customer's environment to manage the services. To further reduce the administrative costs and amount of work involved with managing these customers fabrikam.com decides to integrate these stand-alone domains into its centralized management Active Directory domain.
Three types of customers are affected by this integration:
- Type A runs a single Windows Server 2003 R2-based Active
Directory domain in Native mode.
- Type B runs a single Windows 2003 R2 forest with multiple
domains in Mixed mode.
- Type C runs a Windows Server 2003 R2-based forest in Windows
Server 2003 mode.
To integrate a customer of Type A, Sam, the fabrikam.com administrator, sets up a one-way trust between customerA.net and the fabrikam.com domain. This way the administrators in the customerA.net domain can delegate rights to dedicated users from the fabrikam.com domain.
To integrate a customer of Type B, Sam sets up a one-way trust between each domain that must be managed in the customerB.org forest, and the fabrikam.com domain. This way the administrators in the customerB.org forest can delegate rights to dedicated users from the fabrikam.com domain.
To integrate a customer of Type C, Sam sets up a cross-forest trust between customerC.biz forest root domain and the fabrikam.com forest root domain. This way the administrators in the customerC.biz forest can delegate rights to dedicated users from the fabrikam.com forest. Sam then sets up SID filters to ensure that only trusted accounts are allowed to access resources in each forest.
The benefit of doing this is consistent policy configuration, single logon used for all administrative tasks, and a reduction in overall administration burden and cost.