Benefits of Joining the Stanford
Windows Infrastructure

Joining the central Windows Active Directory infrastructure provides a number of significant benefits. Not only does membership in the central forest provide local groups with the benefits integration with many of Stanford’s other systems, but also it leaves them with considerable autonomy in their local domain. While some of the work local administrators do will be assumed by the ITSS SUNet account process, (like account creation, deletion, and password changes), all of the local administration of resources will still remain.

The benefits listed below come in two types—those services and features that will only be available to members of the central forest, and those services and features that local IT groups will still have the autonomy to provide even as members of the central forest. As local groups evaluate whether to join the central forest or not, they should be aware of the functionality that they will gain as part of the central forest. They should also weigh any unique requirements they might have that won’t be met by the central forest in the context of all the functionality and local autonomy that they will be gaining.

The following captures some of the near- and long-term benefits of the Windows Active Directory infrastructure. Items marked with an asterisk (*) are available only to those who join the central forest. Items marked with a cross (†) are services and features that local groups within the Windows Active Directory forest will still have the autonomy to offer/implement. This is not in any way an exhaustive list of capabilities.

• Integration with Existing Services*

In keeping with its mission ITSS built a Windows forest that interoperates with other pieces of Stanford’s IT environment. Services such as authentication, directory, and name resolution are all integrated with the existing Stanford infrastructure. This makes it simpler for any Stanford user to join their computer to the infrastructure, login, and take advantage of Windows functionality.

• Managed Infrastructure*

No Domain Controllers or duplicated Infrastructure for client departments to purchase and manage (unless a child Domain is required then Domain Controllers must be purchased).  DNS, Directory replication, and Domain Controllers are managed and backed up by ITSS.  ITSS provides a high-availability environment for its servers, with generator-backup UPS, RAID storage, climate control, and multiple locations. This environment is monitored 24 hours a day, ensuring that domain controllers in the ITSS infrastructure are always available. ITSS also provides a physically secure environment for domain controllers, relieving administrators of the responsibility to conduct security audits in this area.

The cost savings in asset costs as well as reduced support personnel overhead can be significant.

• Single Sign On*

 Login once, and PC-Leland makes sure the University's Windows and non-Windows based services know who you are. This lets users access their University email, connect to websites that have webauth protection, and use other Stanford services without having to login again.

• Increased Security*

Windows Active Directory uses Kerberos for authentication. Kerberos protects your password. In addition there will be the ability to use and implement best practices and Security templates across the Windows infrastructure to make it more secure.  The Windows Systems Group also has a set of scripts, which it runs on domain controllers to help evaluate security.  The campus Security Office & this group will be closely monitoring for potential break-ins.

• Central Account Management*

Single Sign On account creation/deletion and password reset will be managed through the SUNet account creation process.  All Single Sign On accounts will to be created in this manner.  Password synchronization across all Single Sign On resources will be handled centrally.  Local Administrators will still have full autonomy over local resources but will be relieved of the repetitive nature of account creation.

• Automated Group Membership*

All groups that exist or are created in the Campus Registry will automatically become Windows Active Directory security groups.  Changes to a person’s departmental affiliation are automatically reflected in the Windows Infrastructure.

• Group Policy Objects †

Local Administrators can create policies for users or computers, which automatically configure common settings for security, software, user interface, and document management.

• Software Distribution †

This feature allows local administrators to publish applications automatically to your users desktops.

• Automated Document Synchronization †

This lets you point any local directory on your computer at a remote server. People who regularly use more than one computer find this feature useful because it makes their files easily accessible, no matter which computer they're working on. It also makes it easier for your department to backup your files (because they are on a server, not your computer).

• Granularity of Control †

Delegate administration locally to support account management tasks. 

• Migration Assistance*

ITSS will work with you to help ensure a successful migration.  Many administrative tools, procedures and templates have already been created to assist you in moving your current Domain/Workgroup into the Windows Infrastructure.  ITSS will share knowledge and experience from their own rollout project. 

• Simple Distributed Resource sharing across all of Stanford *

Share Windows files, printers, or applications securely with any other person in the Stanford Windows Infrastructure. Local Administrators define who has access to the resources they share. Resource sharing is possible currently, but one must setup an account local to the local domain or machine (meaning they have another userid and password) or the local administrator must create a domain trust--both of which are not elegant solutions

• Login to machines across campus*

With a centralized infrastructure users will be able to use their account to login to any machine participating in the infrastructure. Practically speaking, many Administrators will restrict the login rights locally, but public workstations such as those in the libraries, labs, and elsewhere would benefit from this service.

• Infrastructure services*

There are a number of other services being evaluated by ITSS -- such as Microsoft Exchange email service, monitoring tools and security (such as distribution of Security templates) -- that work in conjunction with the Windows Active Directory Infrastructure and so can only be offered to people who join the Stanford Windows Infrastructure.

* =  A benefit of joining the Central Windows Forest
† = A service members of the Central Forest can still offer to their local users autonomously

Created: December 04, 2002 by Tom Cramer Last modified: September 22, 2004 by Ross Wilper ©2004 Trustees of the Leland Stanford Junior University E-mail comments/suggestions/additions