Enterprise Active Directory Forest (AD) The Enterprise Active Directory Forest (AD) is open to all Johns Hopkins Institutions. A delegated administrative model is in place which enables the IT departments to continue providing support for their customers, applications, and resources. The user accounts in the directory are automatically provisioned and de-provisioned from the Johns Hopkins Enterprise Directory (JHED). Password changes and expirations between AD and JHED are synchronized. Currently: - Over 40 IT groups participate,
- More than 100,000 users are synchronized from JHED to AD, and
- More than 22,000 workstations and servers participate.
User ID's in AD use the JHED ID (LID) The format used to create a LID is as follows: the first character in the first name, up to the last six characters in the last name followed by a number. The JHED ID's take the format of jdoe112. - First Name : John
- Last Name: Doe
- JHED ID = Jdoe112
AD passwords follow the Institutional Password Policy - minimum 8 characters
- 2 non-alpha characters
- no password reuse for 4 password cycles
- maximum password age of 180 days
What is needed to participate? Typically, IT organizations have a Windows NT4 Domain or Windows Active Directory Forest. Since user objects are automatically synchronized from JHED into AD, almost all of your user objects are already in AD. A migration of the workstations and servers are required. Where can I get more information? The Enterprise Services Group holds a monthly meeting on the second Wednesday of the month from 11 am until noon. Conference rooms are reserved on the East Baltimore Campus and the Mount Washington Campus. Phone and video conferencing is available. You can e-mail the Active Directory Support Team at ad@jhmi.edu. Design The Windows 2003 Enterprise Active Directory design follows Microsoft recommended best practices. The basic design contains a three domain structure: - AD.JHU.EDU - dedicated empty forest root
- WIN.AD.JHU.EDU - “working” Domain
- RESOURCE.AD.JHU.EDU - resource Domain
AD.JHU.EDU is the first domain created in the forest that does not contain user or computer objects. WIN.AD.JHU.EDU is located directly below the Dedicated Forest Root Domain (AD.JHU.EDU). It is used to store all user objects in a single, flat People Organizational Unit (OU). RESOURCE.AD.JHU.EDU is located directly below the Dedicated Forest Root (AD.JHU.EDU). This domain was originally implemented for legacy systems, and will be retired. History of Enterprise Active Directory at Johns Hopkins In January 2001 the Institutional Computing Standards Committee (ICSC) Windows 2000 sub-committee decided to initiate a centrally managed Enterprise Single AD site at Johns Hopkins. In March 2001 the sub-committe determined the basic design principles for the AD site; a flat structure, using a “people” container. This design would aid in future Directory Integration projects with the Identity Management system provided by the Enterprise Group called Johns Hopkins Enterprise Directory or JHED. Funding for the initial Active Directory site was obtained from Network and Telecommunications Services in April 2001. The initial proposal for funding was designed to support up to 20,000 users across Homewood Campus, Bayview Campus, and East Baltimore Campus. In June 2001, with the assistance from Microsoft Active Directory Support Engineers, additional changes were made to the Active Directory design. The AD site currently exists in that design. Contact Information E-Mail the Active Directory Team for more information at ad@jhmi.edu or contact
Andy Baldwin at (410) 735-4268 or e-mail at andrew.baldwin@jhu.edu | 
