Creating a new parent zone

In most cases, you design a basic zone structure as part of the deployment process. After the initial deployment, you can create new hierarchical zones any time you have new administrative boundaries. For example, if you acquire another organization, add offices that are managed by a different group, or restructure the organization along different functional lines, you are likely to need new zones.

What to do before creating a new parent zone

Before you can create parent zones, you must have installed Access Manager and run the Setup Wizard. You should also have a basic zone design that describes how you are organizing information, for example, whether you are using one top-level parent zone or more than one parent zone. There are no other prerequisites for performing this task.

Rights required for this task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new zones, your user account must be a domain user with the following permissions:

Select this target object To apply these permissions

Parent container for new zones, for example:


On the Object tab, select Allow to apply the following permission to this object and all child objects:

  • Create Container Objects
  • Create Organizational Unit Objects

Note:   Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.

Parent container for Computers in the zone

On the Object tab, select Allow to apply the following permission to this object only:

  • Create group objects
  • Write Description property

Note:   If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.

Who should perform this task

A Windows domain administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.

How often you should perform this task

After you are fully deployed, you create new zones infrequently to address changes to your organization.

Steps for completing this task

The following instructions illustrate how to create a new parent zone using Access Manager. Examples of script that uses the Windows API are included in the Centrify Software Developer’s Kit or may be available in community forums on the Centrify website. For code examples using ADEdit, see the ADEdit Command Reference and Scripting Guide.

To create a new parent zone using Access Manager:

  1. Open the Access Manager console.

  2. In the console tree, select Zones and right-click, then click Create New Zone.

  3. Type the zone name and, optionally, a longer description of the zone.

    In most cases, you should use the default parent container and container type that you created when you configured the Active Directory forest, then click Next.

    For zones that include Windows computers, you should always use the default zone type, which creates the new zone as a hierarchical zone. For Windows computers, only hierarchical zones are supported. The only reasons for changing the default other settings would be if you want to:

    • Create a zone in a new location to separate administrative activity for different groups of administrators.
    • Create a zone as an organizational unit because you want to assign a Group Policy Object to the zone.
  4. In most cases, you'll want to leave the Skip permission delegation option deselected. If you select this option, the service does not set the security descriptor for the zone; you'll need to go in and set that attribute yourself. Some organizations prefer to set security descriptors manually. Security descriptors include security information such as the object owner, who has access rights to the object, and so forth.

  5. Review information about the zone you are creating, then click Finish.

What to do next

After you create a new parent zone, you might want to create its child zones.

Where you can find additional information

If you want to learn more about the importance and benefits of using zones, see the following topics for additional information: