Currently, three options exist for using Penn State Windows Active Directory Service: join as an OU in the ACCESS domain, join as a Child domain, or use a Direct Trust for authentication. Your organization’s best option depends on its organization needs and its supporting capabilities.
(If you’ve already chosen your option, then you are ready to apply for the chosen option.)
Each option is outlined below:
OU under the ACCESS domain
This option is recommended for most organizations at the University Park campus. The option allows for an organization to use the Kerberos trust without managing a domain. In this scenario, all domain issues (such as account management, Domain Controller maintenance/management, and infrastructure disaster recovery) are taken care of by ACCESS administrators. Your organization is responsible for managing its client PCs and any services provided from its servers. Most administrative tasks are still possible–you may still manage PCs, servers and Group Policy Objects (GPOs), but slight differences exist for adding machines and creating GPOs in this environment.
- Easiest to start and implement
- Domain administration is taken care of
- Domain infrastructure is managed and maintained
- Domain infrastructure disaster recovery is taken care of
- Account management is taken care of
- Direct support of ACCESS admins
- Least control outside your OU of other options
- Global changes such as schema extension must be approved and tested before implementation
This option is recommended for large organizations. If you would prefer to keep local domain controllers but need to leverage central services, then this option would be a good choice. You can leverage account management from central services but still maintain domain administrator privileges.
- Account management is taken care
- Global changes such as schema extension must be approved, tested, and implemented
- Existing domains can not be forklifted in as child domains
This option is recommended for organizations that already manage a domain with user accounts in it. This option requires that your organization administer everything. The only support from the ACCESS domains is in setting up the trust.
- Gives your organization complete control over everything
- Least support from ACCESS admins
- Must manage accounts for themselves
Apply for the Best Option
After you’ve decided which option is best, the next step is to apply for that option.