Active Directory hosting configuration

This topic describes how Microsoft Provisioning System configures Active Directory to support delegated administration for hosted services. In order to understand the implications of this information, you should be familiar with basic Active Directory concepts, especially security groups and organizational units. You should also review the other topics in Active Directory implementation architecture. For additional Active Directory resources, see Resources.

Shared domain design

Microsoft Provisioning System allows service providers to host applications for multiple companies on shared hardware, and to administer services for different companies from a central location by using Delegated Administration Console. This amortizes hardware costs across a larger number of users and reduces administrative costs per company.

This design is based on a shared, replicated root directory in Active Directory, called a domain. Within the domain is a series of nested organizational units, representing different organizations. Microsoft Provisioning System creates these organizational units to represent the hosting organization and the reseller organizations and customer organizations it serves. It nests these organizations in the directory and sets certain discretionary access control lists (DACLs) on them to enable centralized administration. It also allows for the delegation of administrative tasks to hosted organizations through Delegated Administration Console. It isolates the information in one organization from users in another organization, as described in Isolation of organization information in Active Directory.

Nested organizational unit structure

For Microsoft Provisioning System, an organization's root organizational unit contains user accounts, groups, computers, and other organizational units belonging to the organization. The organizational units contained within the root organizational unit might represent various entities within the organization, such as divisions and teams. Other organizational units might represent organizations that are hosted or managed by the containing organization.

In the Microsoft Provisioning System hosting configuration, the hosting organizational unit is the top-level container for the service provider organization. It contains user accounts and groups for the hosting organization, as well as organizational units for all of its hosted organizations. Organizational units that represent resellers are nested within hosting. Within the reseller organizational units are nested organizational units that represent the reseller's customers. The top-level organizational unit for each organization, that is, service provider (hosting), reseller, and customer, is considered its root.

The structure of the root organizational units in the hosting configuration is as follows:

hosting

Active Directory objects created by Microsoft Provisioning System

As discussed in Delegated Administration Console functionality, Delegated Administration Console uses Active Directory to enable delegated administration. To implement delegated administration, Microsoft Provisioning System adds certain objects to Active Directory during Delegated Administration Console installation. Also, when an administrator later on creates a new reseller or customer organization, Microsoft Provisioning System creates additional objects in Active Directory that enable the delegation of administrative control for the new organization.

The following paragraphs describe the Active Directory objects created by Microsoft Provisioning System. For more information, see Implemented Active Directory structure.

Active Directory objects created by Setup

When you install Delegated Administration Console, Setup creates the following objects in Active Directory:

Creates the hosting organizational unit

Setup creates the hosting organizational unit to contain all of the Active Directory objects associated with Microsoft Provisioning System, such as the security groups and organizational units for reseller and customer organizations. The hosting organizational unit is managed by service provider administrators and service provider customer service representatives (CSRs), whose user accounts are members of, respectively, the admins@hosting_organization or csradmins@hosting_organization security groups, as described next.

Creates administrative security groups within the hosting organizational unit

Setup creates the following administrative security groups:

Creates a _private container within the hosting organizational unit

Setup creates the _private container to hold other container objects that allow Microsoft Provisioning System to do the following:

Active Directory objects created by Delegated Administration Console

When you create a reseller or customer organization, Delegated Administration Console creates the following objects in Active Directory:

Creates a root organizational unit for the new reseller or customer organization

Delegated Administration Console creates a root organizational unit to contain all of the user accounts, groups, and organizational units associated with the new reseller or customer organization. The name you provide when you create the organization is used as the domain name for the purposes of provisioning Microsoft Exchange 2000 Enterprise Server services. The organization name is also appended to the user names and group names within this organization, in order to identify the organization to which the user accounts and groups belong, and to which their administrative privileges apply. For example, for an organization named "fabrikam.com," user names would have the form user_name@fabrikam.com and group names would have the form group_name@fabrikam.com.

Creates administrative security groups within the organization's root organizational unit

Delegated Administration Console creates the following administrative security groups within the organization's root organizational unit:

Creates a _private container within the organization's root organizational unit

Delegated Administration Console creates the _private container to hold other container objects that allow Microsoft Provisioning System to increase the number of objects that can be contained in the root organizational unit to greater than 5,000.

Expanding the number of members per group

By default, Windows 2000 Server limits the number of members per group to 5,000 (that is, no more than 5,000 resellers in a hosting organizational unit, or 5,000 customers per reseller, or 5,000 users per customer). You can use the following four procedures of the Managed Active Directory namespace included with Microsoft Provisioning System to circumvent this limitation: