In most cases, you design a basic zone structure as part of the deployment process. After the initial deployment, you can create new hierarchical zones any time you have new administrative boundaries. For example, if you acquire another organization, add offices that are managed by a different group, or restructure the organization along different functional lines, you are likely to need new zones.
You can create as many parent zones as you need. You must create at least one new zone before you begin adding Linux and UNIX computers to the Active Directory domain, unless you are joining with the --workstation option.
What to do before creating a new parent zone
Before you can create parent zones, you must have installed Access Manager and run the Setup Wizard. You should also have a basic zone design that describes how you are organizing information, for example, whether you are using one top-level parent zone or more than one parent zone. You should also decide whether to create the new zone in the default Zones container object or in another container or organizational units within Active Directory. There are no other prerequisites for performing this task.
Rights required for this task
Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new zones, your user account must be a domain user with the following permissions:
|Select this target object||To apply these permissions|
Parent container for new zones, for example:
On the Object tab, select Allow to apply the following permission to this object and all child objects:
Note Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.
Parent container for Computers in the zone
On the Object tab, select Allow to apply the following permission to this object only:
Note: If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.
Who should perform this task
A Windows domain administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.
How often you should perform this task
After you are fully deployed, you create new zones infrequently to address changes to your organization.
Steps for completing this task
The following instructions illustrate how to create a new parent zone using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.
To create a new parent zone using Access Manager:
- Open Access Manager.
- Select Zones, right-click, then click Create New Zone.
Type the zone name and, optionally, a longer description of the zone.
In most cases, you should use the default parent container and container type that you created when you configured the Active Directory forest and use the default zone type, which creates the new parent zone as a hierarchical zone, then click Next.
The only reasons for changing the default settings would be if you want to:
- Create a zone in a new location to separate administrative activity for different groups of administrators.
- Create a zone as an organizational unit because you want to assign a Group Policy Object to the zone.
- Create a classic or SFU zone to support legacy Centrify Agents or to store data using the Microsoft Services for UNIX schema.
For additional information about any field in the new zone wizard, you can press F1 to view the context-sensitive help.
- Review information about the zone you are creating, then click Finish.
What to do next
After you create a new parent zone, you might want to create its child zones.
Where you can find additional information
If you want to learn more about the importance and benefits of using zones, see the following topics for additional information: