Active Directory

DCA Service Request Forms

Please use this migration request form when one or more users are going to move from one domain to another.

Active Directory (AD) is a directory service that holds user accounts, computer accounts and groups, and stores security information for those objects. The servers that store the directory information and respond to authentication and directory lookup requests are called domain controllers. Global Catalog servers are special directory servers that contain a subset of information for every object in the forest.

Active Directory Services

Network Engineering maintains the forest root for the AD forest. In addition, Network Engineering is responsible for the following:

  • Schema: The schema controls how objects are defined in AD. Occasionally, it is necessary to make additions to the schema. All such changes are handled by Network Engineering. Schema changes will be thoroughly tested before being implemented, and domain administrators will be notified of the changes and the reasons for making them.
  • DNS for AD: Network Engineering maintains AD service records in DNS for the forest and other AD forests on campus.
  • Replication: Network Engineering monitors communications between domains and will contact departments running their own domain controllers if problems are discovered. Departments should contact Network Engineering when they are experiencing problems so that we can help resolve them.
  • New domains: Any department wishing to add a new domain to our AD forest should submit an Active Directory Account Migration Request. We will only consider requests that meet the requirements outlined below.

Note: If circumstances arise which affect the overall health of the Active Directory forest and Network Engineering cannot reach the DCA responsible for a system, Network Engineering may log in to Domain Controllers and make necessary changes; we will notify DCAs immediately afterward in such cases.

Requirements For Adding a New Domain to the Forest

In order to keep our AD forest as robust and reliable as possible, and to decrease replication traffic, we would like to minimize the number of domains in the forest. Network Engineering will only consider requests for new domains when the following are true:

  • The department has at least two full-time, qualified IT staff.
  • Adequate hardware has been dedicated for at least 2 Domain Controllers.
  • Domain controllers will be monitored 24x7, and IT staff can be reached by Network Engineering in the event of an emergency.
  • The department has specific functionality requirements that cannot be met by an OU in an existing domain, such as FS_Mail.

FS_Mail Domain

Information Services provides access to the FS_Mail domain for groups who wish to use Microsoft Exchange but do not maintain their own Active Directory domain. There is no charge for FS_Mail accounts. Each department has access to their own Organizational Unit (OU), and permissions are delegated to the Departmental Computing Administrator (DCA).

FS_Mail Domain Benefits

  • Free: There is no fee for an OU in the FS_Mail domain or for accounts created there.
  • Delegated Permissions: The DCA has complete control in the OU, and can create objects, delegate permissions, set group policy, etc.
  • Redundancy: There are two domain controllers in the fs_mail domain, housed in separate locations, and backed up by UPS power.
  • Maintenance: Three full-time staff maintain the domain controllers and keep them up-to-date with the latest security patches.
  • Production Standards: The FS_Mail domain controllers are monitored 24x7, and outages that may affect customers are performed only during scheduled maintenance windows.
  • Support: Network Engineering does not provide desktop support for users of the FS_Mail domain, but we will provide some assistance to DCAs. Departments who are interested in full desktop support should contact Community Network.

Requirements For Using an FS_Mail Domain

  • DCA: Each department wishing to create accounts in the FS_Mail domain must have a DCA to perform this task, and be the point-of-contact for Network Engineering staff. Departments who do not have a DCA should talk to Community Network.
  • Licensing: Network Engineering will purchase client access licenses for departments that are not part of the Microsoft Campus License Agreement, but it is up to each department to pay for Windows and Office licenses at the desktop.

Services Not Provided With FS_Mail

  • Desktop Support: Network Engineering will consult with DCAs but we do not provide desktop support.
  • Email: Exchange Email is a separate service which does have a fee - read the Exchange documentation for more information.
  • Server Support: Network Engineering will charge a fee to provide support of departmental servers.

Departments interested in using the FS_Mail domain should contact us.

LDAP Connections to the Exchange Global Address List

There are currently two directories on campus:

These two directories contain much of the same information, but they are not identical.

The OSU Online Directory currently contains records for everyone that has an ONID account (anyone officially associated with OSU). The OSU Online Directory is meant to be public and gets information from OSU's student and human resources system (Banner). Because the information in the Online Directory comes straight from Banner, it is generally very accurate.

The Exchange Global Address Book is a private directory visible only by people with accounts in OSU's Active Directory forest (Exchange users and all ONID users). It contains all the information from the OSU Online Directory (because ONID accounts are listed in it as well), plus a large number of Exchange accounts. All of the non-ONID information in Exchange is manually entered in a somewhat inconsistent way. This means that sometimes it is more accurate and sometimes it is less accurate than the Online Directory.

We are doing our best to bring these two directories closer together over time.

Configuring Your Email Client to Use the OSU Online Directory

This directory requires no authentication, and is very easy to configure. See the ONID documentation for more information.

Configuring Your Email Client to View the Exchange Global Address Book

If you are using Outlook in MAPI mode (this is how most users on campus use Outlook), you can automatically view the Global Address Book by clicking on the Address Book icon. There is no special configuration required.

If you are using a different email client, or Outlook in POP or IMAP mode, you will need to add the Global Address Book as an LDAP server in your client's settings. Please note the following caveats if you choose to use this directory via LDAP:

  • When accessing the Global Address Book via LDAP, you will not see the exact same information that Outlook users see. For example, you will see hidden objects that don't normally show up in the Outlook address book.
  • You can only connect to the Global Address Book via LDAP if you have an Active Directory account - authentication is required.
  • The LDAP server does not currently support secure communications, so your username and password will be passed in plain text. Consider using the VPN if you will be accessing the Global Address Book via LDAP from off campus.

To add the GAL to your Outlook 2007/2003 client first go to the Control panel. From the Control Panel double click on the Mail icon, click Show Profiles, select the profile you want to add the GAL to. Now with your profile selected click on Properties, E-mail Accounts, Address Book tab, New, LDAP, and put in the information below.

The settings needed to connect to the Global Address Book are as follows:

  • LDAP Server Name:
  • User Name: domain\username
  • Password: your password
  • Port: 3268
  • Search Base: leave blank

Where "domain\username" is an Active Directory domain and username.

Having trouble? Try setting your search base to dc=oregonstate,dc=edu