HHS IRM Policy for Active Directory
January 8, 2001
Table of Contents
This circular establishes the policies and responsibilities for the installation and coordination of Active Directory throughout the Department of Health and Human Services (HHS).
This policy applies to all Departmental (Operating Division and Staff Division) system development, maintenance efforts, and infrastructure computing resources at all levels of sensitivity, whether owned and operated by HHS, or operated on behalf of HHS.
HHS networks using Windows 2000 shall coordinate their installation and maintenance activities with the HHS CIO such that all networked Windows 2000 computers are members of one HHS "forest." This will be accomplished through migrating from multiple "forests" to the single HHS "forest" where multiple "forests" currently exist. Where no current Windows 2000 "forest" currently exists, a single HHS "forest" shall be established. Every effort shall be made to populate an existing HHS "forest" before establishing a new "forest." Permission to establish any "forest" (except for a test "forest") must be obtained from the DASIRM prior to establishing the "forest." (See Definitions.) OPDIVs are responsible for constructing and maintaining their own domains as they see appropriate.
The Active Directory shall be constructed by an HHS Enterprise Network Team (HHSENT) led by the DASIRM and consisting of representatives from all OPDIVs with planned Windows 2000 implementations. Once the schema is agreed to it shall be modified only by agreement of the HHSENT, who will function as the Change Control Board.
Security and independence of the domains is recognized to be critical to the success of the HHS Network. It is expected that some domains will lock out all administrative access (i.e., the ability of someone outside the domain to make security changes.) As such the Enterprise Administrators group will be limited to a small number of people in the HHSENT as designated by the HHS Deputy CIO and OPDIV CIO’s. Furthermore, the ability to log into the accounts that can take over control of a domain shall be limited. [This could be accomplished by splitting the passwords to the accounts so that no one member of the team can act unilaterally, (i.e., a password will have several parts with no one person knowing the others)].
The OPDIV CIOs shall be responsible for:
The following public laws and Federal regulations are applicable to this policy circular:
Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management, (202) 690-6162.
The effective date of this policy is the date the policy is approved.
John J. Callahan
Active Directory - A structure supported by Windows® 2000 that lets any object on a network be tracked and located. Active Directory is the directory service used in Windows 2000 Server and provides the foundation for Windows 2000 distributed networks.
Domains - A single security boundary of one or more computers that form a computer network. Active Directory is made up of one or more domains. On a standalone workstation, the domain is the computer itself. A domain can span more than one physical location. Every domain has its own security policies and security relationships with other domains. When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, they constitute a domain tree. Multiple domain trees can be connected together to create a forest.
Forest - A group of one or more trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees in a forest form a hierarchy for the purposes of trust.
Trees - A set of Windows domains connected together through transitive, bidirectional trust, sharing a common schema, configuration, and global catalog.
Schema - The definition of an entire database; the universe of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what object class can be a parent of the current object base.