Delegation Model – Servers Area or Tier1 intention is to host and group all the servers which provide services to the environment, as it is different for the Local Servers on every site, but both remain on the same “Sites Area” or “Tier1”. As this area will ONLY host servers (which are computer objects) the delegation implemented here will reduce to this class of objects.
Purpose of Servers Area – Tier1
This area is the “Root OU” where all servers will exist centralized. In Sites Area (Delegation Model – Servers Area or Tier1), a Local Server Admin sub-OU for server purposes. The main difference between site local servers organizational units (site OU for servers) are the scope of those. This area is a global corporate container. Either the way, the delegated rights on both containers are quite similar. A server operator will get the same inherited rights no matter if the object is within the site or in the Servers Area.
In this area we might face 3 different components, which we have to find a common design for them. As we are only speaking of servers (which is a Computer class in AD), the management, maintenance, operation and ownership of these objects is typically divided into:
- Server Operations. Most of the time is a single global group who overtakes this task over all servers.
- Server Administration. Focused on the Operative System of the box. It is common to have a single global team having this responsibility.
- App/Service Administration. This will rely on the type of application and/or service installed on top of each box.
At the 1st level, the servers root OU, only 2 groups will be created and delegated rights. These groups will have inheritance to any child organizational unit and the objects within those.
A root monolithic GPO will exist at this level. This GPO will have a common baseline configuration for all the servers. And a common “local server access” definition for Administration and operation.
The corresponding Global Groups for each of the servers Local Groups. The server administration domain global group will be member of each servers Administrator group. The operators group will be member of the server local “event log readers”, “performance log users” and “performance monitoring users”. Both domain groups will be member of each server “remote desktop users”. This configuration will assure that both mentioned groups have the corresponding access and permissions on each of the servers within this OU hierarchy.