When you manage multiple domains and subtrees, you can configure DRA to use different accounts to access and manage these domains and subtrees. By default, DRA uses the Administration server service account to access managed domains and subtrees. However, specifying access accounts allows you to better control security across your enterprise. Using multiple access accounts to manage multiple domains or subtrees, servers, and workstations removes the concern that one account has enterprise‑wide privileges. For more information about access accounts, such as permissions requirements, see the Administrator Guide for Directory Resource Administrator and Exchange Administrator.
NOTE:The Administration server stores access account information locally. If you change the name or password of an access account, you must also update the account specifications through the Delegation and Configuration console on each Administration server.
You can specify one or more access accounts to manage multiple domains. If you plan to use access accounts to manage multiple domains, consider the following guidelines:
Configure and specify one access account for each managed domain.
Do not use pass-through authentication when managing multiple domains in a native environment.
You can specify one or more access accounts to manage multiple subtrees. If you plan to manage multiple subtrees of the same domain, you can use the same access account to manage each subtree. However, if you are managing multiple subtrees from different domains, configure and specify one access account for each subtree.
To retrieve group and user account information from trusted domains, ensure the access account is a member of the Domain Users group in all trusted domains.
When specifying access accounts to manage specific member servers or workstations, consider the following guidelines:
To manage servers or workstations that are members of a managed domain, the access account must be a domain account. The access account cannot be a local server or workstation account.
To manage resources on a local computer, ensure the access account is a domain account from the managed domain.
You can use an account from a trusted domain like the access account for a managed Microsoft Windows domain. This account requires the same permissions as an account from the managed domain.
Whether you install the Administration server on a server or domain controller, the access account definition must be replicated to all domain controllers before you can use the account to access another Administration server or a managed domain. You should force Active Directory replication in Microsoft Windows environments.
The Administration server updates information only on the domain controller in the managed domain. Therefore, if you want to access user accounts from trusted domains to manage group memberships, the access account must be a User (not a Guest) in each domain trusted by the managed domain.
If your environment contains several domains, subtrees, servers and workstations, DRA supports multiple access account scenarios. Consider the following example environment:
NewYork and Houston domains
Sales subtree in Houston domain
SmithJ server
ChildsJ workstation
The following table illustrates how DRA uses the specified access account or default Administration server service account, depending on how you manage this environment:
|
If you specify these accounts... |
And you manage... |
DRA uses the following accounts... |
|---|---|---|
|
Administration server service account |
Any domain, server, or workstation |
Administration server service account |
|
Administration server service account |
Any subtree of a Microsoft Windows 2000 domain |
Administration server service account |
|
Administration server service account Access account for the Houston domain |
NewYork domain |
Administration server service account |
|
Houston domain |
Access account specified for the Houston domain |
|
|
Administration server service account Access account for the Houston domain |
NewYork domain |
Administration server service account |
|
Sales subtree of the Houston domain |
Access account specified for the Houston domain |
|
|
Administration server service account Access account for the Houston domain |
NewYork domain |
Administration server service account |
|
Sales subtree of the Houston domain |
Access account specified for the Houston domain |
|
|
server or workstation in the Houston domain |
Access account specified for the Houston domain |
|
|
Administration server service account Access account of the Houston domain Access account for the SmithJ workstation |
NewYork domain |
Administration server service account |
|
Sales subtree of the Houston domain |
Access account specified for the Houston domain |
|
|
server SmithJ |
Access account specified for this workstation |
|
|
Administration server service account Access account for the ChildJ workstation |
Any domain |
Administration server service account |
|
Workstation ChildsJ |
Access account specified for this workstation |