Windows Domains
The University IT operates a central Windows domain for the university (ad.uni-mannheim.de). This is synchronized via the MyUni-ID website of the University IT.
With the Windows domain, all tasks associated with the administration of Uni-IDs are delegated to the domain and automatically handled by the domain. The greater the number of workstations at which different people log on, the more advantageous it is to use the Windows domain, as the Uni-IDs do not have to be entered for each individual computer. All persons who are registered in the domain can log in.
On the one hand, this is interesting for institutions that operate a large number of computers and want to standardize and automate user administration. On the other hand, it is also worthwhile for computers on which central resources, such as the central file service, are used.
In addition, membership in the domain facilitates the organization of a computer network at a chair with regard to user authorizations for private or central IT resources, because these can be managed with relatively little effort using group authorizations in Active Directory (the Windows directory service).
If a larger number of workplaces are to be integrated into the domain, it is appropriate to set up an organizational unit (OU), which requires comprehensive planning.
Information about the membership in the domain
Dependency
Membership in the domain inevitably results in dependency on functioning domain controllers. Since account authentication is no longer performed locally but on the domain, smoothly functioning domain controllers that are available around the clock are vital to running a Windows domain.
To avoid negative effects of this dependency, the technical infrastructure for the operation of the domain controllers has been expanded as redundantly as possible. Since it is still possible to log on locally at any workstation, the negative consequences of this dependency are limited even in the event of a total domain failure. However, such a total failure has never occurred since the existence of the domain – that is, since 2002.
Domain administration
A domain is a technical means of organizing an extensive network of computers. An essential feature of such a network is its central manageability, which is reflected in the uniform user administration. However, central administration requires an agent who has appropriate administrative rights on all participating systems. Domain admins therefore have administrative rights by default (Windows default) on all computers that are members of the domain.
However, the local admin can revoke this right from the domain admins and thus block the computer against external influences. In principle, however, the domain admin has the means to undo such locks as well.
In practice, the far-reaching rights of the domain administrator at the University of Mannheim are not used, because the administration of the workplaces within the university is not the task of the university IT. It is in the interest of university IT to limit the access options of the domain administrator to the technically necessary minimum, because this increases the security of the workplaces and improves protection against the unintended effects of central actions. If the scripts provided by University IT are used to include computers in the domain, the administrative rights for the workstations are automatically revoked from the domain administrators.