In most cases, you design a basic zone structure as part of the deployment process. After the initial deployment, you can create new hierarchical zones any time you have new administrative boundaries. For example, if you acquire another organization, add offices that are managed by a different group, or restructure the organization along different functional lines, you are likely to need new zones.
What to do before creating a new parent zone
Before you can create parent zones, you must have installed Access Manager and run the Setup Wizard. You should also have a basic zone design that describes how you are organizing information, for example, whether you are using one top-level parent zone or more than one parent zone. There are no other prerequisites for performing this task.
Rights required for this task
Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. To create new zones, your user account must be a domain user with the following permissions:
|Select this target object||To apply these permissions|
Parent container for new zones, for example:
On the Object tab, select Allow to apply the following permission to this object and all child objects:
Note: Both permissions are required if you want to allow zones to be created as either container objects or organizational unit objects.
Parent container for Computers in the zone
On the Object tab, select Allow to apply the following permission to this object only:
Note: If the Active Directory administrator manually sets the permissions required to create zones, you should verify that the account also has permission to add an authorization store, define rights and roles, and manage role assignments.
Who should perform this task
A Windows domain administrator performs this task, depending on your organization’s policies. The user who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. In most organizations, this task is done using an account with domain administrator privileges.
How often you should perform this task
After you are fully deployed, you create new zones infrequently to address changes to your organization.
Steps for completing this task
The following instructions illustrate how to create a new parent zone using Access Manager. Examples of script that uses the Windows API are included in the Centrify Software Developer’s Kit or may be available in community forums on the Centrify website. For code examples using ADEdit, see the ADEdit Command Reference and Scripting Guide.
To create a new parent zone using Access Manager:
- Open the Access Manager console.
- In the console tree, select Zones and right-click, then click Create New Zone.
- Type the zone name and, optionally, a longer description of the zone.
In most cases, you should use the default parent container and container type that you created when you configured the Active Directory forest, then click Next.
For zones that include Windows computers, you should always use the default zone type, which creates the new zone as a hierarchical zone. For Windows computers, only hierarchical zones are supported. The only reasons for changing the default other settings would be if you want to:
- Create a zone in a new location to separate administrative activity for different groups of administrators.
- Create a zone as an organizational unit because you want to assign a Group Policy Object to the zone.
- Review information about the zone you are creating, then click Finish.
What to do next
After you create a new parent zone, you might want to create its child zones.
Where you can find additional information
If you want to learn more about the importance and benefits of using zones, see the following topics for additional information: