We anticipate that many departments and units, large and small, on the
Berkeley Campus will elect to join the CalNetAD forest. Most of the
administrative responsibilities in the forest will be delegated to local
administrators in these departments and units. Being a local administrator in
the CalNetAD forest carries certain responsibilities and expectations. These
policies are meant to delineate appropriate standards within the CalNetAD
All local administrators in the CalNetAD forest must read and agree to the
following policies, prior to being given an administrative account. Any local
administrator who creates an administrative account for another local
administrator must make sure the new administrator has read and agreed to these
All CalNetAD local administrators (or their proxy) are expected to
participate in the CalNetAd Planning Committee and attend its meetings.
Schedule a meeting with the CalNetAD project team by using the
Request OU form (This form will
require calnet authentication). The CalNetAd team will discuss your requirements
Departments and units are encouraged to join the CalNetAD as an
Organizational Unit (OU). OUs are directory containers for directory objects
(i.e., user, computer, and policy objects). The primary purpose of an OU is to
make administration easier in terms of management and delegation. Control of an
OU in the CalNetAD forest will be delegated to an OU administrator group who
shall have the ability to manage users, computers, local security groups, and
Group Policy Objects (GPOs) in their OU and sub-OUs. GPOs are a set of common
configuration settings, like distributing software or changing the user
environment, to help manage directory objects such as computers and users. OU
administrators will only be allowed to apply GPOs for their OU.
Joining as a domain is not permitted. Special arrangements can be made to
create a trust for a limited time if you are currently managing your own domain,
and want to migrate to CalNetAD.
In general, people who experience problems with a particular service should
speak to their local CalNetAD administrator first. If the issue can’t be
resolved, then the local administrator can raise the issue to the appropriate
support group. (See 16 Local
CalNetAD naming standards are
recommended for computer account names. Naming conflicts are left to local
administrators to resolve. Priority will generally go the OU that first used the
name in the forest.
All workstations should keep "berkeley.edu" or other existing domain suffixes
as their primary domain suffix. All workstations must be registered properly in
the campus DNS. Use the existing DNS names (if legal Windows names). All
workstations must have an Active Directory DNS name that matches their
registered campus DNS name. The hostname component of the FQDN becomes the
legacy short-name alias. Workstations in the forest must be configured to turn
off DDNS registration. This is enforced by a site GPO which should not be
CalNetAD naming standards are
recommended for user account names.
Local administrators are responsible for the local support of their user
accounts. As a local administrator, it is up to you to educate your users on a
regular basis so as to avoid common problems. The majority of issues you deal
with will probably concern failed logins and security in the distributed Windows
Establish which security group (other than "Everyone") the members of your
department should always use for access to local shared folders. Document the
process step-by-step, so users can follow it easily.
Data replicated into the CalNetAD campus domain from the CalNet Directory
(e.g., name fields, address fields, phone numbers, etc.) will be subject to
automatic updating and should not be altered locally. Local administrators must
take appropriate security precautions to protect user account data.
Local administrators should make every effort to delete expired or unused
pvt-, svc-, and ! (bang) user accounts in their OUs. Calnet accounts should
never be deleted by an OU administrator. All Calnet accounts should be returned
to the FSA container using the Moveuser web page when the user is no longer
managed in your OU.
Group Policy Objects are directory objects used to apply common configuration
settings on computers and user objects. GPOs are associated with directory
containers, and are thus applied indirectly to all user or computer objects
within that container. Using GPOs, local administrators can perform tasks such
as assigning a particular software installation to a set of computers, enforce
security settings, or assign configuration options.
CalNetAD naming standards are
recommended for GPOs.
7.6 GPO Enforcement
Cleartext authentication is not allowed in the CalNetAD infrastructure.
Cleartext authentication will be turned off on all domain controllers. Clear
text authentication is not allowed for IIS, Mac File and Print Services, Samba,
All accounts must have a robust password that meets certain basic
requirements for strength, complexity and form. Please refer to the required
passphrase characteristics contained on the CalNet Change Passphrase web page.
Participation in the CalNetAD forest does not entitle departments to licenses
for operating systems or other software for departmental systems. The CalNetAD
service includes only licenses for software required to operate the CalNetAD
forest and Domain Controllers. Departments should ensure that systems
participating in the CalNetAD forest are properly licensed for software running
on their systems, including operating system or server software.
Windows DNS Server Services must NOT be installed on any computer within the
CalNetAD forest without prior consultation with IST-CNS and the CalNetAD
Enterprise Administrators. Windows machines using IST-CNS for DNS services must
be configured to turn off DDNS registration. IST-CNS does not generally support
DDNS for security reasons. A site-wide GPO automatically disables DDNS
registration for members of the forest. This policy should not be blocked. All
UC Berkeley computers in the CalNetAD forest must have their primary DNS suffix
name correctly entered, and must be registered in DNS to communicate properly in
the forest. To conform to campus networking standards, all computers must have a
DNS name that matches their registered node.
DHCP services must be coordinated with IST-CNS and CalNetAD Enterprise
Administrators before joining the forest.
By default, IIS services are turned off through CalNetAD Group Policy. This
helps to ensure that local workstations cannot start 'rogue' IIS web servers.
Local administrators can override the CalNetAD GPOs governing IIS in order to
implement a well-managed IIS web service. "Well-managed" means that all security
patches and fixes have been applied; all unnecessary IIS services have been
turned off; and IIS is configured to not allow cleartext authentication.
The CalNetAD Security Subcommittee recommends putting IIS in a separate,
dedicated domain where feasible and establishing appropriate security groups to
DFS is supported in the CalNetAD forest. Please contact the CalNetAD
Enterprise Administrators if you wish to run this service.
By default, EFS services are turned off through CalNetAD Group Policy. Please
be sure to understand the risks relating to lost encryption keys if you choose
to override this policy.
The CalNetAD Infrastructure is composed of many different computing,
administrative and consulting services. This section provides a brief
description of these services and specific contact information for each. In
general, people who experience problems with a particular service should speak
to their local CalNetAD administrator first. If the issue can’t be resolved,
then the local administrator raise the issue to the appropriate support
The IST-Platform Services-Enterprise Windows Team installs and maintains the
server and support machines which run Active Directory for the UC and CAMPUS
domains. A group within IST-Platform Services-Enterprise Windows Team serve as
Enterprise Administrators (EA). They install, configure, and maintain the Active
Directory domain controllers for the UC and CAMPUS domains that support the
CalNetAD infrastructure. Urgent problems related to domain controllers or
infrastructure services should be reported by calling the IST Trouble Desk at 642-8500. For general discussion,
this group can be contacted via e-mail at calnetad-info.
The responsibilities of the Enterprise Administrators are:
The responsibilities of local administrators are: